Posted on 08-04-2010 10:41 AM
After re-imaging a computer, what is the best way to automagically add an account to the computer?
I tried using the "run once per computer" policy. But it only runs once per computer. That is, if you re-image the computer again it doesn't run a second time.
Ongoing doesn't work, because it fails (and sends off an email) because the account already exists.
Michael Bond
Professional Technologist
WVU Libraries
Office.: 304-293-0340
Cell....: 304-282-0640
Email.: Michael.Bond at mail.wvu.edu
Posted on 08-04-2010 12:40 AM
I have post image scripts that do this:
# now proceed with local accounts # set all desired names and passwords with in the quotes
admin1_long="Hidden Administrator" admin1_short="hadmin" admin1_passwd="password"
# info for local admin account 2 to give to users who need ARD access
admin2_long="ARD Viewer" admin2_short="ardview" admin2_passwd="password"
# if root accunt will be enabled, set password here
root_passwd="password"
# set the firmware password here
FirmWarePW="password"
then later on these are called in the script to do this:
# now create accounts
/usr/sbin/jamf createAccount -username "$admin1_short" -realname
"$admin1_long" -password "$admin1_passwd" –home
/private/var/$admin1_short –shell “/bin/bash” -hiddenUser -admin
/bin/sleep 5 #allow some time between accounts to ensure they create
properly
/usr/sbin/jamf createAccount -username "$admin2_short" -realname
"$admin2_long" -password "$admin2_passwd" –home
/private/var/$admin2_short –shell “/bin/bash” -hiddenUser -admin
/bin/sleep 5 #allow some time between accounts to ensure they create
properly
# now enable root
/usr/sbin/dsenableroot -u $admin1_short -p $admin1_passwd -r
$root_passwd
/bin/echo "done creating local accounts"
No issues at all on my macs
-Tom
Posted on 08-04-2010 12:52 AM
+1 to the jamf createAccount commands mentioned earlier..
Just wanted to point out that when you re-image, run jamf flushPolicyHistory & it will flush the policy history meaning that those policies that run once run again.
Posted on 08-04-2010 11:05 AM
Is this a secondary account apart from the management account you can
On 8/4/10 12:41 PM, "Michael Bond" <Michael.Bond at mail.wvu.edu> wrote:
create at imaging time?
I didn't see anything in the Resource Kit for creating a new account, but
you could create a script to do this and add it as part of a package. The
downside is that you'll need to store the account's password in the
script. You'll probably want to look at the dscl command. This page gives
a pretty good run-through:
<http://osxdaily.com/2007/10/29/how-to-add-a-user-from-the-os-x-command-lin
e-works-with-leopard/>.
Are you using any sort of Directory Services?
--
William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492
Posted on 08-04-2010 11:14 AM
Check out instadmg's createuser.pkg file ( I can send you if you like)
It gives you quite a few options for user account creation including the ability to "hash" the password so you don't send clear text.
John Wojda
Lead System Engineer, CTS
3333 Beverly Rd. B2-338B
Hoffman Estates, IL 60179
Phone: (847)286-7855
SMS / Text Page: 2245873298
Team Lead: Chris Sta Ana
Posted on 08-04-2010 11:15 AM
You can also create the account when you are imaging.
On Aug 4, 2010, at 1:05 PM, Smith, William wrote:
Open Casper imaging
Click the advanced icon in the upper left, some tabs show up now - select accounts.
We like to do it at imaging time because Casper lets you select the home folder destination.
We have a secondary partition for the Users Data.
You might have to login as the user created on your OS image, then log out in order to see the account created at imaging.
Thanks
Dan
Posted on 08-04-2010 11:26 AM
You can also do it with a "Post Imaging" script that is set to run at reboot
On Wed, Aug 4, 2010 at 1:15 PM, Dan DeRusha <dderusha at schawk.com> wrote:
during imaging. I use this method to add users and to configure things like
disabling IPv6, setting other network prefs, etc. You can use the jamf
binary to do it:
# Create a hidden ARD user
ardUser_long="ARD User"
ardUser_short="arduser"
ardUser_passwd="password"
/usr/sbin/jamf createAccount -username "$ardUser_short" -realname
"$ardUser_long" -password "$ardUser_passwd" –home
/private/var/$ardUser_short –shell “/bin/bash” -hiddenUser -admin
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
Posted on 08-04-2010 11:31 AM
I use instadmg for creating all our base images, however I have had mixed results with the createuser package. Many times the account is not correctly added to the admin group, or the profile for the account was created with the wrong permissions. If you use createuser... do lots of testing first.
Posted on 08-04-2010 11:34 AM
Hmm. We've been using it w/o problems. The only thing we have to be
wary of is our packages that we didn't remove data from the local admin
account under users, so it would unhide them.
But as we identify packages with our testing that do that we remove the
data and it never bothers us again.
John Wojda
Lead System Engineer, CTS
3333 Beverly Rd. B2-338B
Hoffman Estates, IL 60179
Phone: (847)286-7855
SMS / Text Page: 2245873298
Team Lead: Chris Sta Ana
Posted on 08-04-2010 11:50 AM
Thaaaaat's what I was remembering. Not a Resource Kit thing at all.
On 8/4/10 1:26 PM, "Steve Wood" <swood at integer.com> wrote:
--
William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492
Posted on 08-04-2010 01:01 PM
Hi Folks,
Related to this, I do typically use At Reboot scripts to create accounts on
a box after imaging is done. Using the same command already mentioned:
ardUser_long="ARD User"
ardUser_short="arduser"
ardUser_passwd="password"
/usr/sbin/jamf createAccount -username "$ardUser_short" -realname
"$ardUser_long" -password "$ardUser_passwd" home
/private/var/$ardUser_short shell '/bin/bash' -hiddenUser -admin
The other thing that someone mentioned is that this does not HASH the
password and there is an easy way to correct that.
On a testing box/partition:
- Run Casper Imaging
- Customize the config to just push down the OS
- UNCHECK to Reboot after imaging
- Go to the Accounts Tab and add the user account info that you want to use
- Let Casper imaging run
- When Imaging is finished on the imaged partition browse to:
- /Volumes/Macintosh HD/System/Library/StartupItems/FirstRun/
- Open up the FirstRun script and you can pull out the entire command that
will create this user that you can dump into a script, AND it will use
-passhash instead of -password in plain text. =)
I was also thinking you could have the JSS put the computer into a
particular group if it didn't find said account and then just add it with a
policy. There should be the ability to look for local accounts in the
Receipts Information section of a Smart Group. At imaging your system will
recon, this account won't exist, and that machine gets add to the Smart
Group to run the policy to add the account.
That's all I got today...
Craig E
Posted on 08-04-2010 01:20 PM
...yet another way to do it would be to create a policy that adds all user
accounts needed, triggered by a post reboot script.
Example:
/usr/sbin/jamf policy -action createaccounts
I just add the script to each of my configurations, and then at image time
that will call the policy and create the accounts.
That way if I ever need to add another account to a config, change password,
etc., I can easily modify that within the corresponding policy rather than
modify a script..
--
Jason Weber
Technology Support Cluster Specialist
Independent School District 196
jason.weber at district196.org
Posted on 08-04-2010 02:02 PM
Is there also a way to designate an account as admin after the fact, either
with a JAMF command or another scripting command? We are using Workgroup
Manager to create mobile accounts, but they all default to standard accounts
at first login. I'd like to change them to admin accounts.
Tatian
Posted on 08-04-2010 02:16 PM
We also do it this way for labs, etc. where it's a standard set of users.
It's just part of the reboot script. Install Sophos, install another couple
apps we can't install at image, run the create_users_labA.sh script and then
it's ready to go.
John
Posted on 08-04-2010 02:44 PM
You can set this up in the Autorun data as well. The one thing to remember
is that if you have any packages to install that populate the user's
directories, you have to install them after the actual imaging. I have a
Postflight policy that does this, with a custom trigger invoked by a simple
script after reboot:
----------------------------------------------------------
#!/bin/sh
# run Software Update
/usr/sbin/jamf policy -trigger Up2Date
# install User Preference pkgs
/usr/sbin/jamf policy -trigger UserPref
----------------------------------------------------------
Christopher Kemp
CNN-BEST
Central Engineering
Posted on 08-04-2010 02:52 PM
I'll bet you can do it with the jamf binary, but I know for certain you can
On Wed, Aug 4, 2010 at 4:02 PM, Tatian Greenleaf <tgreenleaf at saintmarksschool.org> wrote:
do it with dscl:
dscl . merge /groups/admin users <username>
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
Posted on 08-04-2010 03:32 PM
Good point! Also keep in mind if you haven't logged into the account
all pref files, home directory and so forth are not created until first
log in, even on local accounts. So, if you need anything to be ran as a
user, with user data populated you may have to script a log in. Which
is what I did using Apple Script invoked in my post image shell script.
Then I use custom trigger policies to trigger anything that needs to be
trigger with a valid user logged in.
Thanks
Tom
Posted on 08-04-2010 03:34 PM
Interesting what sort of stuff have you had to do this with?
![external image link](attachments/ac0025cab2024d33acf01399a4f02e5e)
Posted on 08-04-2010 03:38 PM
to add a user to the admin group do this as root
dscl . append /Groups/admin GroupMembership <username>
Replace <username> with the short name. To undo this, do this
dscl . delete /Groups/admin GroupMembership <username>
-Tom
Posted on 08-04-2010 03:40 PM
$(Umy add wireless package doesn't seem to work at the login window. I also install our mobile Internet filter client as well. I think we trigger a few other policies but off the top of my head I cannot remember them. Wrote that script 6 months ago and been working 65+ hour weeks right now.....gotta love the back to school madness!
![external image link](attachments/6653601d044d41a68a91e368b14d7586)
Posted on 08-05-2010 09:44 AM
Thanks guys.
Ultimately, this is the script I settled on. I'm also running it when the user logs out to make sure everything is reset to default (these are public checkout laptops).
#!/bin/bash
USERNAME=shortname
FULLNAME="Long Name"
PASSWORD=abcd1234
HOME_DIR="/Users/$USERNAME"
SHELL=/bin/bash
JAMF_EXEC=/usr/sbin/jamf
CHECKNAME=$(dscl . -list /Users | grep $USERNAME)
if [ "$CHECKNAME" = "$USERNAME" ]; then
if [ -d "$HOME_DIR" ]; then
$JAMF_EXEC deleteAccount -username "$USERNAME" -deleteHomeDirectory
fi
fi
$JAMF_EXEC createAccount -username "$USERNAME" -realname "$FULLNAME" -password "$PASSWORD" –home "$HOME_DIR" –shell "$SHELL"
Michael Bond
Professional Technologist
WVU Libraries
Office.: 304-293-0340
Cell....: 304-282-0640
Email.: Michael.Bond at mail.wvu.edu