Posted on 04-01-2014 07:32 AM
Does anyone know of a good way to do this in an extension attribute or similar? I need to track down laptops that haven't yet been switched over to using AD accounts.
Solved! Go to Solution.
Posted on 04-01-2014 08:17 AM
I wouldn't say that the local accounts can't go above 1000. I have a few users that tried tricking us into thinking they had AD accounts by changing their UID to be in the 10,000 range. I just changed a test account to 2900 and it seems to work as well.
This method (UID) will get you 99.9% of the people. You will have some of the advanced users that will always cause issues. You can list who is a directory account by looking for the "OriginalNodeName" in the DS.
List all directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName 2>/dev/null
List only the names of the directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null
If you are looking up a specific user, you could throw this into an if statement (as it will return nothing on a error)...
dscl . read /Users/username OriginalNodeName 2>/dev/null
... if the user is only a local account, this will return with nothing.
Posted on 04-01-2014 07:37 AM
I'm interested in this too, as we've locked down users and groups in 10.9 and modified the JSS's AD binding automagically create mobile account. It's mostly for a check/balance.
Posted on 04-01-2014 07:45 AM
Just check the UID for the account. Directory based accounts always start in the 1000 and up range, at least for AD and I think that's also true for OD accounts. Local accounts can never have a UID above 999 and typically start at 501 and up, so using dscl and awk we can grab only account names with UniqueIDs above 500 but below 1000.
#!/bin/bash
dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 999 {print $1}'
Posted on 04-01-2014 08:17 AM
I wouldn't say that the local accounts can't go above 1000. I have a few users that tried tricking us into thinking they had AD accounts by changing their UID to be in the 10,000 range. I just changed a test account to 2900 and it seems to work as well.
This method (UID) will get you 99.9% of the people. You will have some of the advanced users that will always cause issues. You can list who is a directory account by looking for the "OriginalNodeName" in the DS.
List all directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName 2>/dev/null
List only the names of the directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null
If you are looking up a specific user, you could throw this into an if statement (as it will return nothing on a error)...
dscl . read /Users/username OriginalNodeName 2>/dev/null
... if the user is only a local account, this will return with nothing.
Posted on 04-01-2014 11:13 AM
There are various kinds of filters that can be used, depending on exactly whet you want to test.
For instance to distinguish AD-Authorized accounts from others, (with details obscured) I have used:
MyAuth=$(dscl . -read /Users/$UserID OriginalAuthenticationAuthority)
if [[ "${MyAuth}" =~ "@MyDomain.co.uk" ]]; then
Perform_Action
fi
Posted on 04-16-2014 12:06 PM
Thank you! That seems to work perfectly. I threw it in an extension attribute and we will hopefully have our users not using network accounts tracked down shortly. I'm guessing 75% of our Macs were deployed before we implemented Casper and then enrolled with Casper and joined to Active Directory as we rolled out new polices. We're hoping to proactively track these down and move them over to network accounts.
Here's the Extension Attribute script if anyone else needs it. Pretty simple.
#!/bin/sh
NETACCLIST=`dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null`
if [ "$NETACCLIST" == "" ]; then
echo "<result>No Network Accounts</result>"
else
echo "<result>$NETACCLIST</result>"
fi
exit 0