Help

DSCL limitations on user accounts

brenden
New Contributor

Posted on ‎07-21-2020 02:41 AM

As a software developer, I am working on a macOS app in which one of the features is to check if a user has a password enabled or not. Recently I stumbled across the command dscl . -authonly $(id -un) "" , this command seems to give the desired result, returns nothing when no password is set, and returns an error when a password is set.

The main issue I have, well... question, is how will this command work in a "deployed environment"?(macOS machine in an enterprise environment). This app im building would be deployed using some kind of RMM tool.

Based on common practice, do regular uses(non-admin users) have access to this DSCL command? and can they perform this dscl . -authonly $(id -un) "" command? Perhaps a macOS sysadmin could aid in answer these questions.

Labels:
0 Kudos
Reply
3 REPLIES 3

talkingmoose
Moderator
Moderator

Posted on ‎07-21-2020 06:56 AM

The dscl command doesn't require admin privileges because it's not trying to change any local system settings. Any Active Directory domain member who is logged in to an AD-bound Mac with his or her account can use it to look up information in AD by default.

Reply

tlarkin
Honored Contributor

Posted on ‎07-21-2020 10:29 AM

If a user has a password present, there will be a key in dscl that will have data, if not the key will not be found. The is should be AuthenticationAuthority IIRC

Reply

boberito
Valued Contributor

Posted on ‎07-22-2020 06:42 AM

You may be able to get this info in a more programatic way using apple's OpenDirectory framework https://developer.apple.com/documentation/opendirectory

0 Kudos
Reply