Skip to main content
Solved

Create smart group based on if a machine has a hidden local user account


Forum|alt.badge.img+9

Last year i had a policy that created a hidden user account that was used by a single teacher to monitor her students via ARD. As of right now, the policy & script has been removed from our enivornment and i'm left with a handful of machines out there that have a hidden user called MONITOR. The account is hidden from users and groups, but its home folder is visible. Smart groups based on local user accounts do not seem to work if the account is hidden. Does anyone have a trick to getting machines into a smart group if they have a specific hidden account? Thanks and hope everyone has a great weekend!

Best answer by calumhunter

yep id use an extension attribute to test for the presence of the hidden account and return a true/false and then create a smart group on that.

View original
Did this topic help you find an answer to your question?

4 replies

Forum|alt.badge.img+9
  • Author
  • Contributor
  • 146 replies
  • June 14, 2014

So i noticed that under inventory collection i can include hidden system accounts. With that selection enabled, I was able to get machines into the smart group with the hidden admin account. Ideally i wouldn't have to see the 200+ hidden system accounts that reside on our machines by default.....a custom script may be the only way to single out a specific hidden local user account.


Forum|alt.badge.img+10
  • New Contributor
  • 596 replies
  • Answer
  • June 14, 2014

yep id use an extension attribute to test for the presence of the hidden account and return a true/false and then create a smart group on that.


mm2270
Forum|alt.badge.img+24
  • Legendary Contributor
  • 7881 replies
  • June 15, 2014

If the account is an actual valid account that was used and not just an orphaned home folder, then no matter how hidden it is, it will show up in dscl. Dscl sees everything, even if the home folder is tucked away in /private/var/
Further, if the account's UID is below 501, then you should be able to easily generate a list of sub 501 accounts and grep for "MONITOR"

#!/bin/sh

if [[ $(dscl . list /Users UniqueID | awk '$2 < 501 {print $1}' | grep -i "^MONITOR$") ]]; then
      echo "<result>Present</result>"
else
      echo "<result>Not Present</result>"
fi

Note that above in the grep I enclosed the name with ^ and $ to indicate start and end of line. Reason is, there's always a possibility of other sub 501 accounts native on the Mac that would have the term "monitor" in them somewhere, so making sure the whole name is "monitor" will avoid false positives. Also, I assume the uppercase "MONITOR" is the regular full name and not the short name since those don't usually have any upper case in them, so I threw in the -i flag to make grep do case insensitive matching.


Forum|alt.badge.img+9
  • Author
  • Contributor
  • 146 replies
  • June 17, 2014

Thanks for the comment CalumHuter, and the custom extension attribute mm2270!

Your assumptions were correct mm, I went ahead and loaded the EA into our JSS and its exactly what i was looking for.

Cheers for the awesome quick response!


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings