Jamf Nation Community

I wrote this Extension Attribute to list me the local user accounts and differentiate between admin accounts I expect and ones that are "non-standard", using Smart Groups to search for the non-standard string so I can catch up admin membership approvals with our Service Desk.

#!/bin/sh

localusers=`dscl . list /users | grep -v _ | grep -v daemon | grep -v nobody | grep -v root | grep -v casperscreensharing`
rm -f /tmp/localusers

for i in $localusers
do
if [ "`dseditgroup -n /Local/Default -o read admin | grep $i`" != "" ]; then
if [[ "$i" != "jssadmin" && "$i" != "admin" ]]; then # WHERE I LIST MY SERVICE ADMIN ACCOUNTS
echo "$i is a non-standard admin"
echo "$i *admin - non-standard" >> /tmp/localusers
else
echo "$i is an admin"
echo "$i *admin" >> /tmp/localusers
fi
else
echo "$i is a standard user"
echo "$i" >> /tmp/localusers
fi
done

echo "<result>`cat /tmp/localusers`</result>"

Andrew

Example:

Local Users: user_a *admin - non-standard
jssadmin *admin
admin *admin
user_b
user_c

how would I go about ignoring the local admin accounts? Basically, for these accounts, I don't want them to report...

if [[ "$i" != "jssadmin" && "$i" != "admin" ]];

But the other users I do want it reported on.

More "grep -v name" pipes... but be careful. You'll never get a name that contains "admin" if you grep -v admin. So, if your users have created a local admin with admin in the name (seen in, trust me it happens) those would be excluded.

Easily avoided by using ^ & $ surrounding the name, like this - grep -v ^admin$
Most people don't realize it but grep supports beginning and end line notations, so using it like above will avoid accidentally excluding accounts with names like "localadmin", "myadmin", "administrator" and such and only match something with the exact name "admin"

personally, I would not use so many grep -v pipes though. It gets unwieldy and is really unnecessary if you tailor the command properly. For example, maybe only look for accounts within a certain UID range to start off with so you don't need to exclude all those system level accounts.

If you want to completely ignore the accounts from the report to begin with, as @JPDyson says, just like this by grep -v and a pipe;

localusers=`dscl . list /users | grep -v _ | grep -v daemon | grep -v nobody | grep -v root | grep -v casperscreensharing | grep -v admin1 | grep -v admin2 | grep -v admin3`

etc

If you want to list more local admin accounts that are "standard admin accounts", then do it like this (adding to the if test);

if [[ "$i" != "admin1" && "$i" != "admin2" && "$i" != "admin3" && "$i" != "admin4" && "$i" != "admin5" ]]; then

Obviously both go back in to the relevant line in the script.

Andrew

haha oh :) Yeah, good call. Thank you!

I personally don't mind sifting through "large" information as long as your output is accurate and doesn't affect the time the script takes to run. But @mm2270 is right about multiple greps being sloppy ;), you could use some simple regular expression to achieve the same affect;

localusers=`dscl . list /users | grep -vE '_|daemon|nobody|root|casperscreensharing'`

Andrew

Thank you all for your input, it seems to be working well now! I do have a another dumb question, how can I make it so that each user is a separate line? Right now I get

user1 is an admin user2 is an admin user3 is an admin user4 is an

Is the spacing on the JSS page tight on the width as the EA is appending lines to a file so should not be word wrapping. Could you run the script and copy paste the contents of the file (/tmp/localusers) here?

Andrew

EDIT: Every way I look at it I can't recreate the problem you're having, could you copy paste your version of the Extension Attribute here?

I think it is the width of the EA http://sdrv.ms/1fIltFq, which complicates things I guess.