Jamf Nation Community

Carter · ‎09-25-2013

Hello JAMFnation discussion community. Long time listener first time caller...

We are trying to track if a local account is created instead of a OD network account. I was looking into smart groups but I don't think the username "is like" is going to accomplish this goal for me. I wanted to do a smart group so I could get an email when a local account is created. I was going to move on to figuring out a script to do this but is there a feature of JSS that I'm missing that will accomplish this goal?

Thanks for looking/contributing if you do!

~Jon

mm2270 · ‎09-25-2013

Hi and welcome.
It would probably be challenging to do this entirely via built in options in the Casper Suite.

Before getting started on helping you with a solution, I have a question (or two). Do you have any valid local accounts already on your Macs that show up normally at the login screen and in Users & Groups? In more technical terms, do any accounts with Unique IDs higher than 500 already exist on the Macs? Perhaps a local admin account you use for IT?
If the answer is Yes, then you'll need to account for that in anything you put together, but its possible to work around.

Second question is, you mentioned using OD accounts. Do you happen to know what the UID (Unique ID) range is for Open Directory accounts? I know for Active Directory they start at 1000 and up, but are usually much higher. Not sure if that's also true for OD accounts. Maybe someone can chime in on that.
Edit: Just did a quick Google search and see that OD accounts follow suit with UIDs in the 1000 and up range, so the below should work as is

Assuming we have answers on those questions, what I would do if I were in your shoes is create an Extension Attribute that gathered a list of any local accounts (minus any known IT ones) and then provided a count. Save the Extension Attribute as an integer in the JSS, then as Macs report in with inventory, you can build a Smart Group for any that have a count higher than 0. Set up the Smart Group to send email notifications on change, and you should be alerted to any Macs reporting in with local accounts on them.

Here's an example of how to do this-

#!/bin/sh

## Using range between 501 and 999 (AD range) Adjust values for OD if necessary

LocalUsersCount=$( dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 1000 {print $1}' | grep -v ^localaccountname$ | wc -l | sed 's/ //g' )

echo "<result>$LocalUsersCount</result>"

You would need to adjust the above by changing or removing the | grep -v ^localaccountname$ section, either by entering the known local account that should be there, or just removing that section if there are none to account for.

On my Mac I have one local account, not AD based, so it returns "1" as a result. So with this, you could set up the EA, (make sure to set the value as "integer") then make a Smart Group using criteria like:

Local Users Count | more than | 0

Set the email options to be alerted to changes and you should get notified. Of course, you'll only be notified when a Mac reports in with new inventory. But this would be true with just about anything.

View solution in original post

Carter · ‎09-25-2013

I ended up creating an EA with:

"#!/bin/bash

result="dscl /Search -read / | grep "/LDAPv3/" | sort -u"
echo "<result>$result</result>"

exit 0"

And in the smart group I used the receipts Local account to have the account name not be my local admin account. Tested works great!

I made this to be a part of an early alert sign if one of our macbooks has been stolen. I figure one of the first things someone would do is make a new local user account. We have a lot of users who connect from all around the world so tracking IP address segments is not very effective.

Anyway, thanks again for all the help I hope someone else finds this useful in the future.

~Jon

View solution in original post

Matt · ‎09-25-2013

I would start with the UID's. If you notice the UID ranges on Network accounts are in a different range. This is an AD account but you get the idea.

2029854029 matthewle
80 casper
81 administrator

mm2270 · ‎09-25-2013

Hi and welcome.
It would probably be challenging to do this entirely via built in options in the Casper Suite.

Before getting started on helping you with a solution, I have a question (or two). Do you have any valid local accounts already on your Macs that show up normally at the login screen and in Users & Groups? In more technical terms, do any accounts with Unique IDs higher than 500 already exist on the Macs? Perhaps a local admin account you use for IT?
If the answer is Yes, then you'll need to account for that in anything you put together, but its possible to work around.

Second question is, you mentioned using OD accounts. Do you happen to know what the UID (Unique ID) range is for Open Directory accounts? I know for Active Directory they start at 1000 and up, but are usually much higher. Not sure if that's also true for OD accounts. Maybe someone can chime in on that.
Edit: Just did a quick Google search and see that OD accounts follow suit with UIDs in the 1000 and up range, so the below should work as is

Assuming we have answers on those questions, what I would do if I were in your shoes is create an Extension Attribute that gathered a list of any local accounts (minus any known IT ones) and then provided a count. Save the Extension Attribute as an integer in the JSS, then as Macs report in with inventory, you can build a Smart Group for any that have a count higher than 0. Set up the Smart Group to send email notifications on change, and you should be alerted to any Macs reporting in with local accounts on them.

Here's an example of how to do this-

#!/bin/sh

## Using range between 501 and 999 (AD range) Adjust values for OD if necessary

LocalUsersCount=$( dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 1000 {print $1}' | grep -v ^localaccountname$ | wc -l | sed 's/ //g' )

echo "<result>$LocalUsersCount</result>"

You would need to adjust the above by changing or removing the | grep -v ^localaccountname$ section, either by entering the known local account that should be there, or just removing that section if there are none to account for.

On my Mac I have one local account, not AD based, so it returns "1" as a result. So with this, you could set up the EA, (make sure to set the value as "integer") then make a Smart Group using criteria like:

Local Users Count | more than | 0

Set the email options to be alerted to changes and you should get notified. Of course, you'll only be notified when a Mac reports in with new inventory. But this would be true with just about anything.

Carter · ‎09-25-2013

Thanks Matt and mm270. I was just looking at creating an EA or a Customer report.

I think that script should work we set our UID's in a very specific range so this will work out well. We do have a local admin account but I can just the threshold to be higher than one. I really appreciate the advice and example script!

~Jon

Carter · ‎09-25-2013

I ended up creating an EA with:

"#!/bin/bash

result="dscl /Search -read / | grep "/LDAPv3/" | sort -u"
echo "<result>$result</result>"

exit 0"

And in the smart group I used the receipts Local account to have the account name not be my local admin account. Tested works great!

I made this to be a part of an early alert sign if one of our macbooks has been stolen. I figure one of the first things someone would do is make a new local user account. We have a lot of users who connect from all around the world so tracking IP address segments is not very effective.

Anyway, thanks again for all the help I hope someone else finds this useful in the future.

~Jon

Jamf Nation Community

Detecting Local User Account Creation