Casper report?

ImAMacGuy
Valued Contributor II

Is it possible to generate a report on who has admin rights on their
machines?

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

11 REPLIES 11

tlarkin
Honored Contributor

http://www.casperadmins.com/index.php?threads/detect-local-admin-script-extension-attribute.16/

#!/bin/bash PATH=/usr/bin:/bin:/usr/sbin:/sbin
export PATH
# grab user accounts above UID 500

UserList=dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'

for u in ${UserList} ; do
if [[dscl . read /Groups/admin GroupMembership | grep -c $u == 1 ]] then echo "<result> $u is admin </result>" else echo "$u is not an admin"
fi
done

exit 0

Matt
Valued Contributor

Same script I use. Its perfect!

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

ImAMacGuy
Valued Contributor II

I posted back on the site, is that an MCX or a script? If its an mcx I
guess I am unsure how to enter the data into Casper 8.1, I think in 8.0 when
you clicked array (?) it provided a box to insert the data, but in 8.1 I
didn't see that?

tlarkin
Honored Contributor

It is just an extension attribute script

myronjoffe
Contributor III

I enabled the above extension attribute yesterday but its not doing what it should be doing... Any ideas?

see screenshot - external image link

mm2270
Legendary Contributor III

You could try using 'dseditgroup' to grab the admin or not admin status of a user account instead of dscl. Although they both should work the same, Apple recommends using dseditgroup now when looking up or making changes to account group memberships. Maybe you'll get better results.

myronjoffe
Contributor III

Thanks will give that a go...

myronjoffe
Contributor III

That didnt work...

But Im now using a workaround.
Extended Attribute:

#!/bin/bash
adminAccts=$(dscl . -read /Groups/admin | awk '/GroupMembership/ { print NF-1; }')
echo "<result>${adminAccts}</result>"

This will do a count of admins on a machine and display the total. Any count over 3 I'll know there is an admin on the machine that shouldnt be there. Not my ideal solution but a workaround nonetheless.

Any idea how to create an Extended Attribute that checks the currently logged in user is an admin?

sean
Valued Contributor

@myronjoffe your original script didn't work because from the picture there appears to be no space between the square bracket and the start of the command

if [[`dscl

should read

if [[ `dscl

There's loads of ways to work out if someone is an admin, you've already used one with dscl and groupmembership. You could also play with 'id'

id [username] | tr "," "
"  | grep "(admin)"

myronjoffe
Contributor III

Thanks for that Sean, now working...

tlarkin
Honored Contributor

Hey Everyone,

When Casper runs a script it runs it as root, you usually need a different mechanism to detect who is currently logged in. There are many different ways to detect who owns /dev/console. You can use ls with awk or with cut (the Jared Nichols way is cut!), or you could use the stat command. If running it at log in you can use the built in parameter from an Apple OS X login hook of $1, or Casper of $3.

When you create a smart group off of an extension attribute you need to make sure you put in the exact string inside the <result> brackets as the string you are searching for. So, if you echo out "has admin," you need to put, "has admin," as the string for the extension attribute. EA's are ran at inventory updates, so either a full recon, or via the framework. If you set your framework to update inventory once a week or once a day that is how often it will update.

Also, a lot of these older scripts I wrote from the mailing list days were actually for dummy receipts, which predate extension attributes. You need to remove the exit status from the extension attribute. When I wrote these scripts and had dummy receipts in place in older versions of Casper I never updated them to extension attributes because I never had time to go in and recreate them, plus the dummy receipt system was working for me at the time. Extension attributes are definitely way more robust and effective though.

Can you please post the entire work flow of your extension attribute? Another caveat is that I wrote almost all of my directory services scripts in dscl, because I would test them in dscl in interactive mode. I think the safer and more efficient route would be to use dseditgroup and test for membership that way.

Thanks,
Tom