Jamf Nation Community

There's a thread for a similar issue here:
https://jamfnation.jamfsoftware.com/discussion.html?id=4890

I've got a post on how user accounts are handled in an upgrade:

http://derflounder.wordpress.com/2012/01/04/hidden-users-with-hidden-home-folders-not-migrated-when-...

mm2270 - if you are going to change the UID to a temporary UID, you need to make sure you don't use a UID that is already in use. Is there a way to display a list of all UID's currently in use from the terminal?

@zmbarker -
Yes, true. I was glossing over a few details in my post, but you're correct that you would need to make sure not to assign it an ID that's already in use. Use this to see a numerical list in ascending order of all UIDs on the system-

dscl . list /Users UniqueID | awk '{print $NF}' | sort -g

If you want to see all visible account UIDs, meaning from 501 up to below 1000 (the directory service account range, like what AD uses), use this:

dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 1000 {print $NF}' | sort -g

To assign the ID, you can either give it a pretty large number below 1000 to prevent it conflicting with any AD account, like 999, or, use a script to dynamically assign the new number.

#!/bin/sh
LastUID=$( dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 1000 {print $NF}' | sort -g | tail -1 )
NewUID=$(( $LastUID + 1 ))

echo $NewUID

Thanks Guys, I am working on a CS6 Deployment plan and will test this as soon as my brain clears.

so I assume this would read

#!/bin/sh
LastUID=$( dscl . list /Users/username UniqueID | awk '$2 > 500 && $2 < 1000 {print $NF}' | sort -g | tail -1 )
NewUID=$(( $LastUID + 1 ))

echo $NewUID

Does it matter what the current UUID is ie. some are 102 and some are 80

I'm a little reluctnant to do more on this since it may not be the best method for preventing the account from being deleted. Have you looked at Rich Trouton's links above? I didn't really look. but generally speaking you can't go wrong with the methods he comes up with to get around issues like these.

That said, to answer your question, yes, it does matter and you'll need to store the current hidden Casper account's UID to use in a dscl command to change it to a new one, if you intend on doing it this way. My script above was simply an example of how to generate a new UID to use, but doesn't cover how it would be applied.
The general syntax would be something like: dscl . change /Users/yourcasperaccount UniqueID <oldUID> <newUID>

Getting the hidden account's current ID ( <oldUID> ) could be done like:

dscl . read /Users/yourcasperaccount UniqueID | awk '{print $NF}'

Hope that helps.

In the post above, my main suggestion was to reinstall using the agent installer. However, there is a way to automate the installation of a Casper QuickAdd as part of an OS upgrade, which should also add back your Casper user account, if you're using Greg Neagle's createOSXinstallPkg to create your OS installer.

I've built an installer package called First Boot Package Install.pkg, which is designed for use with createOSXinstallPkg. It's designed as a delivery mechanism for installer packages that can't run properly in the OS X install environment. The details are in the post below:

http://derflounder.wordpress.com/2013/05/13/first-boot-package-install-pkg/

Perhaps not the most efficient approach, but I simply created a policy that recreates the casper admin accounts for all machines that are 10.8.x - scoped via smart group.

@rtrouton
Hey Rich, I am using your awesome First Boot Package Install.pkg which is taking care of management accounts, java and flash etc. I am attempting to run a shell script to finish off which replaces User Template which gets nuked in the upgrade some other stuff and also trigger a post upgrade policy in the JSS but it doesn't appear to be working. I have created a dummy package in Composer and attached the script as postflight then adding it into the final fb_installer folder however its not being applied. I am most likely doing this incorrectly. Any suggestions on how to run this final script in your workflow?

Thanks T

@TimC,

Can you post the script? Payload-free packages should work fine with First Boot Package Install.pkg.

@rtrouton

Thanks Rich. I am running this as a post flight script after the payload-free package has run.
Script is as follows:

#!/bin/sh

sudo rm -Rf /System/Library/User Template/English.lproj
sudo mv /Volumes/Users/English.lproj /System/Library/User Template

sudo /usr/sbin/chown -Rv adminacc1 /var/adminacc1
sudo /usr/sbin/chown -Rv adminacc2 /var/adminacc2

sudo defaults write /System/Library/User Template/Non_localized/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
defaults write /System/Library/User Template/Non_localized/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion -string ’10.8.3?

/usr/sbin/jamf policy -trigger postupgrade

exit 0

Cheers
T

@TimC,

It may be that the package isn't running the script. I have a post on how to build a payload-free package with Apple's pkgbuild tool available here:

http://derflounder.wordpress.com/2012/08/15/creating-payload-free-packages-with-pkgbuild/

Try rebuilding your package using this method and see if your scripted tasks now work. Since the script will be running with root privileges, you shouldn't need to use sudo as part of the script.

@rtrouton

Nice. Thanks Rich, I'll give it a whirl..

Cheers
T

i'm a big fan of CLI to simply re-create the account that the OSX Installation breaks. here's the code i use and - before you give me a hard time about sending a password in cleartext - remember, these machines have all admin passwords changed by a policy within 15 minutes and then re-enforced on a regular basis.

script also provides variables so that you can:
1) specify the UID
2) specify where the script logs itself

enjoy

#!/bin/sh

# script assumes a hidden account with UID 405.
# you can change this to any sub500 account number you like

# ---------------------------------------------------------
# variables & directories
# ---------------------------------------------------------
#--- assignments
SCRIPTNAME=$0
user405=HiddenAdminAccount
login="/Library/Preferences/com.apple.loginwindow"

#--- Set Logging
exec >> "/Library/Logs/YourLogDirectory.log" 2>&1


#----------------------------------------------------------
#  Timestamp
#----------------------------------------------------------
echo "                                   "
echo "###################################"
echo "##### $SCRIPTNAME"
echo "##### `date "+%A %m/%d/%Y %H:%M"`"
echo "###################################"
echo "                                   "


echo "
# ---------------------------------------------------------
#  ---------------------- FIXES --------------------------
# ---------------------------------------------------------"

echo ""
echo ">>>>>>>>  CREATE ARD ACCOUNT"
dscl . -create /Users/$user405
dscl . -create /Users/$user405 realname "${user405}"
dscl . -create /Users/$user405 NFSHomeDirectory /private/var/$user405
chown -R $user405 /private/var/$user405
dscl . -passwd /Users/$user405 YourPasswordHere
dscl . -create /Users/$user405 PrimaryGroupID 405
dscl . -create /Users/$user405 UniqueID 405
dscl . -create /Users/$user405 shell /bin/bash
dscl . -append /Groups/admin GroupMembership $user405
defaults write $login Hide500Users -bool TRUE  ### hides this user from user list and user switching
defaults write $login HiddenUsersList -array add $user405 ### hides this user from login screen