Determine if an account is a Mobile or Local Account

azbikowski
New Contributor II

Does anyone know of a good way to do this in an extension attribute or similar? I need to track down laptops that haven't yet been switched over to using AD accounts.

1 ACCEPTED SOLUTION

ctangora
Contributor III

I wouldn't say that the local accounts can't go above 1000. I have a few users that tried tricking us into thinking they had AD accounts by changing their UID to be in the 10,000 range. I just changed a test account to 2900 and it seems to work as well.

This method (UID) will get you 99.9% of the people. You will have some of the advanced users that will always cause issues. You can list who is a directory account by looking for the "OriginalNodeName" in the DS.

List all directory accounts, if no accounts it returns nothing.

dscl . list /Users OriginalNodeName 2>/dev/null

List only the names of the directory accounts, if no accounts it returns nothing.

dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null

If you are looking up a specific user, you could throw this into an if statement (as it will return nothing on a error)...

dscl . read /Users/username OriginalNodeName 2>/dev/null

... if the user is only a local account, this will return with nothing.

View solution in original post

5 REPLIES 5

jwojda
Valued Contributor II

I'm interested in this too, as we've locked down users and groups in 10.9 and modified the JSS's AD binding automagically create mobile account. It's mostly for a check/balance.

mm2270
Legendary Contributor III

Just check the UID for the account. Directory based accounts always start in the 1000 and up range, at least for AD and I think that's also true for OD accounts. Local accounts can never have a UID above 999 and typically start at 501 and up, so using dscl and awk we can grab only account names with UniqueIDs above 500 but below 1000.

#!/bin/bash

dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 999 {print $1}'

ctangora
Contributor III

I wouldn't say that the local accounts can't go above 1000. I have a few users that tried tricking us into thinking they had AD accounts by changing their UID to be in the 10,000 range. I just changed a test account to 2900 and it seems to work as well.

This method (UID) will get you 99.9% of the people. You will have some of the advanced users that will always cause issues. You can list who is a directory account by looking for the "OriginalNodeName" in the DS.

List all directory accounts, if no accounts it returns nothing.

dscl . list /Users OriginalNodeName 2>/dev/null

List only the names of the directory accounts, if no accounts it returns nothing.

dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null

If you are looking up a specific user, you could throw this into an if statement (as it will return nothing on a error)...

dscl . read /Users/username OriginalNodeName 2>/dev/null

... if the user is only a local account, this will return with nothing.

PeterClarke
Contributor II

There are various kinds of filters that can be used, depending on exactly whet you want to test.

For instance to distinguish AD-Authorized accounts from others, (with details obscured) I have used:

MyAuth=$(dscl . -read /Users/$UserID OriginalAuthenticationAuthority)
if [[ "${MyAuth}" =~ "@MyDomain.co.uk" ]]; then Perform_Action
fi

azbikowski
New Contributor II

Thank you! That seems to work perfectly. I threw it in an extension attribute and we will hopefully have our users not using network accounts tracked down shortly. I'm guessing 75% of our Macs were deployed before we implemented Casper and then enrolled with Casper and joined to Active Directory as we rolled out new polices. We're hoping to proactively track these down and move them over to network accounts.

Here's the Extension Attribute script if anyone else needs it. Pretty simple.

#!/bin/sh
NETACCLIST=`dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null`

if [ "$NETACCLIST" == "" ]; then
        echo "<result>No Network Accounts</result>"
else
        echo "<result>$NETACCLIST</result>"
fi
exit 0