Advanced Search for Local Admin Accounts on MacBooks

ADurg
New Contributor

I'm relatively new to using JAMF and I've looking around at the community posts but I haven't found an existing post that answers this. I'm trying to create a search criteria using the Extension Attribute function which would work for an Advanced Computer Search that'd allow me to check if a Local User Account on a MacBook has admin rights or not.

When I check an individual device I can see a field under Local User Accounts that has a Yes or No to indicate if the local account has admin rights or not but I'm not having any luck with trying to create a filter for this so I can see which devices have admin accounts.

Any assistance with this would be appreciated.

4 REPLIES 4

pete_c
Contributor III

This is still a very straightforward method:

Create a new EA:

groupmember=$(dscl . -read Groups/admin GroupMembership | cut -c 18- | sed -E -e 's/(root|yourjamfmanagementaccount)//g')
echo "<result>$groupmember</result>"

Then create a new Smart Group leveraging that EA. Remember that the group membership will only be recomputed after a recon is run on the device.

original: https://community.jamf.com/t5/jamf-pro/how-to-find-all-the-local-users-with-admin-right-or-not/m-p/1...

ScottEKendall
New Contributor

Here is the snippet that I have used:

 

#!/bin/zsh

declare -a adminUsers
declare -a result

function join { local IFS="$1"; shift; echo "$*"; }
function members { dscl . -list /Users | while read user; do printf "$user "; dsmemberutil checkmembership -U "$user" -G "$*"; done | grep "is a member" | cut -d " " -f 1; }

adminUsers=$( members "staff" )
result=$(join , ${adminUsers[@]})

echo "<result>$result</result>"

ADurg
New Contributor

Thank you both! I'll give these a try and report back, I appreciate the help with this.

byrnese
New Contributor III

We do something similar but have an array of excluded accounts. That way we can create a Smart Group based upon the EA, that will automatically deploy a script to remove admin rights, again excluding our admin accounts, since we are a zero trust environment.