- Jamf Nation Community
- Products
- Jamf Pro
- Can't Unllock Users & Groups after Account Recreat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Can't Unllock Users & Groups after Account Recreation!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-11-2019 04:07 PM
So on my computers, I have the following script creating a hidden user account:
jamf createAccount -username "$userName" -realname "$realName" -password "$password" -home /private/var/"$userName" -shell "$usershell" -picture "/Library/User Pictures/Fun/Ying-Yang.png" -admin -hiddenUser -suppressSetupAssistant
I am trying to reveal this account and unhide it, so users can actually change the password easily.
What is the best way to go about it?
What I almost have working, is to simply delete this account using a similar script:
jamf deleteAccount -username "$userName" -realname "$realName" -password "$password" -home /private/var/"$userName" -shell "$usershell" -picture "/Library/User Pictures/Fun/Ying-Yang.png" -admin -hiddenUser -suppressSetupAssistant
And then have it recreated using the Local Account Payload under a policy, as an Admin account, same name.
Only problem is, it will unlock everything except Users & Groups. On some machines, it tells me it needs to be part of a "Special Use" Group, some machines say it needs to be part of Sudoers group. User is able to log out and log in as Admin and set password that way, but still unable to unlock Users & Groups pane. They can unlock any other pane though.
Really appreciate you saving me here fellas, thanks!
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 08:13 AM
Any help would be appreciated
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 08:23 AM
So if I understand correctly, you create an admin user, but it doesn't have admin rights to alter users and groups?
If you run:
dscl . -read /groups/admin GroupMembership
is the account in the admin group according to dscl?
If not, you can try running:
dscl . -append /groups/admin GroupMembership "$USERNAME"
and see if that gives the account full admin rights
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 08:32 AM
Unfortunately, I've tried that already.
Is there an easier way to simply reveal a hidden account that was created in the fashion I illustrated above?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 08:52 AM
following.. I only know about the IsHidden dscl command to hide and unhide.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 08:53 AM
Tried that already :/
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 08:58 AM
Maybe moving the home directory to /Users
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 09:08 AM
How do you guys handle Admin? Cause I'm trying to make a case to promote my users to Admin instead of using a separate Admin account.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2019 09:15 AM
@danny.gutman in a previous role. We had elevated accounts for users that needed admin rights username.pc as an example. I also used LAPs for Mac for techs needing to login as an admin on that seat, the username was the same but the password was different for each seat stored in the JSS. Currently, we have some admins, but for those that aren't, we can give them temporary admin rights to their account upon approved request.
