Posted on 05-12-2011 12:16 AM
Is it possible to generate a report on who has admin rights on their
machines?
John Wojda
Lead System Engineer, DEI & Mobility
3333 Beverly Rd. B2-338B
Hoffman Estates, IL 60179
Phone: (847)286-7855
Page: (224)532.3447
Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>
Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana
Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>
Posted on 05-12-2011 12:52 AM
http://www.casperadmins.com/index.php?threads/detect-local-admin-script-extension-attribute.16/
#!/bin/bash
PATH=/usr/bin:/bin:/usr/sbin:/sbin
export PATH
# grab user accounts above UID 500
UserList=dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'
for u in ${UserList} ; do
if [[dscl . read /Groups/admin GroupMembership | grep -c $u
== 1 ]]
then echo "<result> $u is admin </result>"
else echo "$u is not an admin"
fi
done
exit 0
Posted on 05-12-2011 01:20 PM
Same script I use. Its perfect!
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Posted on 05-13-2011 06:26 AM
I posted back on the site, is that an MCX or a script? If its an mcx I
guess I am unsure how to enter the data into Casper 8.1, I think in 8.0 when
you clicked array (?) it provided a box to insert the data, but in 8.1 I
didn't see that?
Posted on 05-13-2011 10:21 AM
It is just an extension attribute script
Posted on 04-27-2012 01:11 AM
I enabled the above extension attribute yesterday but its not doing what it should be doing... Any ideas?
see screenshot - external image link
Posted on 04-27-2012 07:23 AM
You could try using 'dseditgroup' to grab the admin or not admin status of a user account instead of dscl. Although they both should work the same, Apple recommends using dseditgroup now when looking up or making changes to account group memberships. Maybe you'll get better results.
Posted on 04-27-2012 08:46 AM
Thanks will give that a go...
Posted on 04-30-2012 04:59 AM
That didnt work...
But Im now using a workaround.
Extended Attribute:
#!/bin/bash
adminAccts=$(dscl . -read /Groups/admin | awk '/GroupMembership/ { print NF-1; }')
echo "<result>${adminAccts}</result>"
This will do a count of admins on a machine and display the total. Any count over 3 I'll know there is an admin on the machine that shouldnt be there. Not my ideal solution but a workaround nonetheless.
Any idea how to create an Extended Attribute that checks the currently logged in user is an admin?
Posted on 04-30-2012 04:43 PM
@myronjoffe your original script didn't work because from the picture there appears to be no space between the square bracket and the start of the command
if [[`dscl
should read
if [[ `dscl
There's loads of ways to work out if someone is an admin, you've already used one with dscl and groupmembership. You could also play with 'id'
id [username] | tr "," "
" | grep "(admin)"
Posted on 05-01-2012 02:08 AM
Thanks for that Sean, now working...
Posted on 05-01-2012 09:02 PM
Hey Everyone,
When Casper runs a script it runs it as root, you usually need a different mechanism to detect who is currently logged in. There are many different ways to detect who owns /dev/console. You can use ls with awk or with cut (the Jared Nichols way is cut!), or you could use the stat command. If running it at log in you can use the built in parameter from an Apple OS X login hook of $1, or Casper of $3.
When you create a smart group off of an extension attribute you need to make sure you put in the exact string inside the <result> brackets as the string you are searching for. So, if you echo out "has admin," you need to put, "has admin," as the string for the extension attribute. EA's are ran at inventory updates, so either a full recon, or via the framework. If you set your framework to update inventory once a week or once a day that is how often it will update.
Also, a lot of these older scripts I wrote from the mailing list days were actually for dummy receipts, which predate extension attributes. You need to remove the exit status from the extension attribute. When I wrote these scripts and had dummy receipts in place in older versions of Casper I never updated them to extension attributes because I never had time to go in and recreate them, plus the dummy receipt system was working for me at the time. Extension attributes are definitely way more robust and effective though.
Can you please post the entire work flow of your extension attribute? Another caveat is that I wrote almost all of my directory services scripts in dscl, because I would test them in dscl in interactive mode. I think the safer and more efficient route would be to use dseditgroup and test for membership that way.
Thanks,
Tom