Help

Can't Unllock Users & Groups after Account Recreation!

danny_gutman
New Contributor III

Posted on ‎03-11-2019 04:07 PM

So on my computers, I have the following script creating a hidden user account:

jamf createAccount -username "$userName" -realname "$realName" -password "$password" -home /private/var/"$userName" -shell "$usershell" -picture "/Library/User Pictures/Fun/Ying-Yang.png" -admin -hiddenUser -suppressSetupAssistant

I am trying to reveal this account and unhide it, so users can actually change the password easily.

What is the best way to go about it?

What I almost have working, is to simply delete this account using a similar script:

jamf deleteAccount -username "$userName" -realname "$realName" -password "$password" -home /private/var/"$userName" -shell "$usershell" -picture "/Library/User Pictures/Fun/Ying-Yang.png" -admin -hiddenUser -suppressSetupAssistant

And then have it recreated using the Local Account Payload under a policy, as an Admin account, same name.

Only problem is, it will unlock everything except Users & Groups. On some machines, it tells me it needs to be part of a "Special Use" Group, some machines say it needs to be part of Sudoers group. User is able to log out and log in as Admin and set password that way, but still unable to unlock Users & Groups pane. They can unlock any other pane though.

Really appreciate you saving me here fellas, thanks!

0 Kudos
Reply
8 REPLIES 8

danny_gutman
New Contributor III

Posted on ‎03-12-2019 08:13 AM

Any help would be appreciated

0 Kudos
Reply

hdsreid
Contributor III

Posted on ‎03-12-2019 08:23 AM

So if I understand correctly, you create an admin user, but it doesn't have admin rights to alter users and groups?

If you run:
dscl . -read /groups/admin GroupMembership

is the account in the admin group according to dscl?

If not, you can try running:
dscl . -append /groups/admin GroupMembership "$USERNAME"

and see if that gives the account full admin rights

0 Kudos
Reply

danny_gutman
New Contributor III

Posted on ‎03-12-2019 08:32 AM

Unfortunately, I've tried that already.

Is there an easier way to simply reveal a hidden account that was created in the fashion I illustrated above?

0 Kudos
Reply

JustDeWon
Contributor III

Posted on ‎03-12-2019 08:52 AM

following.. I only know about the IsHidden dscl command to hide and unhide.

0 Kudos
Reply

danny_gutman
New Contributor III

Posted on ‎03-12-2019 08:53 AM

Tried that already :/

Reply

JustDeWon
Contributor III

Posted on ‎03-12-2019 08:58 AM

Maybe moving the home directory to /Users

0 Kudos
Reply

danny_gutman
New Contributor III

Posted on ‎03-12-2019 09:08 AM

How do you guys handle Admin? Cause I'm trying to make a case to promote my users to Admin instead of using a separate Admin account.

0 Kudos
Reply

JustDeWon
Contributor III

Posted on ‎03-12-2019 09:15 AM

@danny.gutman in a previous role. We had elevated accounts for users that needed admin rights username.pc as an example. I also used LAPs for Mac for techs needing to login as an admin on that seat, the username was the same but the password was different for each seat stored in the JSS. Currently, we have some admins, but for those that aren't, we can give them temporary admin rights to their account upon approved request.

0 Kudos
Reply