EA: Check if logged user is admin

JamelB
New Contributor III

Hi, I would like to set an extension attribute to check if the logged user is Admin or Not. Could somebody assist me on the script please, I'm not familiar with scripting unfortunately :/

Thank you in advance,
Jamel

12 REPLIES 12

sdagley
Honored Contributor III

@JamelB Are you looking to use that EA as a Smart Group criteria, or are you just wanting to know who has an admin account on a machine? If the latter, and you're using local account, the Local Users Accounts panel of a computer inventory record will list all local accounts, and what kind they are.

JamelB
New Contributor III

Hi @sdagley Thank you for the answer.
I want to create a smart group, but what I really need to know, is the current loggeduser, not all users on the mac.
Thx

sdagley
Honored Contributor III

@JamelB This EA will do that, but be aware the EA isn't going to update except when a recon/inventory is run, so it doesn't guarantee the user actually logged in when the Smart Group is evaluated is the one that was tested:

#!/bin/sh

loggedInUser=$(stat -f %Su /dev/console)
loggedInUserIsAdmin="No"

if id -Gn $loggedInUser | grep -q -w admin; then
    loggedInUserIsAdmin="Yes"
fi

echo "<result>$loggedInUserIsAdmin</result>"

Chris_Hafner
Valued Contributor II

Quick question: This is obviously a part of a larger task that you are trying to accomplish. Can you share that? This might help us guide you to a solution that fits your need.

JamelB
New Contributor III

Thank you @sdagley I will try that. I understand the recon and policy updates, no problem.
@Chris_Hafner To explain, we have an IT local admin account on the MacBooks, used by the end users to install software/run sudo commands. We want to delete this admin account when the end users are local admin, as it is ont required anymore.
I understand the process above will may not match at 100% what we want to achieve, but if it's 97-99%, it's acceptable.

JamelB
New Contributor III

@sdagley It works perfectly, thx

cbd4s
Contributor II

Can also try to use last user when the user is not logged in

#!/bin/sh

result=""
loggedInUser=$(stat -f %Su /dev/console)
macUser=""
macUserIsAdmin="No"

if [ "$loggedInUser" == "root" ] || [ "$loggedInUser" == "" ]; then
    result+="Logged-in User Not Found
"
    lastUser=$(defaults read /Library/Preferences/com.apple.loginwindow lastUserName)
    if [ $lastUser == "" ]; then
        result+="Last User Not Found"
    else
            result+="Checking Last User $lastUser...
"
            macUser=$lastUser
    fi
else
    result+="Checking Current User $currUser...
"
    macUser=$loggedInUser
fi

if ["$macUser" != ""]; then
    if id -Gn $macUser | grep -q -w admin; then
            macUserIsAdmin="Yes"
    fi
    result+="User is admin: $macUserIsAdmin"
fi

echo "<result>$result</result>"

Chris_Hafner
Valued Contributor II

OK, I'm, popcorning here, but how are you planning on making their account admin? I can see lots of ways to accomplish this, but some may be more elegant than others depending on this. Also, do you have FV2 to contend with? It's easy to check if a user is part of the admin group with a script. Here's a good example from @pete_c (https://www.jamf.com/jamf-nation/discussions/24797/help-with-script-to-give-local-admin-rights-to-log-in-user) near the bottom of the post. I'm throwing this one over because he uses a friendly notice from jamfHelper.

I might have a script that say, checks to see if the logged-in user is admin (at check-in) and then elevates that account and either deletes the IT account or leaves it for a later policy/process

I do have an EA that lists all admin users (Taken form somewhere here). Perhaps that would be useful for creating a smart group later?

#!/bin/bash

# Script to detect if a computer has a local admin account on it with an UID of above 500

# Initialize array

list=()


# generate user list of users with UID greater than 500

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do

# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)

    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
    # Any reported accounts are added to the array list
        list+=("${username}")
    fi
done

# Prints the array's list contents

echo "<result>${list[@]}</result>"

cbd4s
Contributor II

@Chris_Hafner , we probably don't trust the users as much as you do :-), which is why we only allow them to be a temporary admin when they need to by using MakeMeAdmin. The downside of this approach: it is delivered through self service and our Jamf Pro is not accessible from external network yet.

tlarkin
Honored Contributor

Quick question, are you going to recon every n minutes to make sure your EA gets updated?

JamelB
New Contributor III

@tlarkin no, recon once per day on our side, but I understand clearly what will be the behaviour
@cbd4s this is an internal choice ;), but thx for the proposal, I will chekc that also in //
@Chris_Hafner thank you, I will check if it is interesting to me. With the 1st solution, I was able to create a smart group like I wanted.

Thx all.

shalas
New Contributor II

Hi y'all, sorry for piggybacking on this (I'll create a new thread if that's recommended).

I'm trying to merge the first script in the thread:

#!/bin/sh

loggedInUser=$(stat -f %Su /dev/console)
loggedInUserIsAdmin="No"

if id -Gn $loggedInUser | grep -q -w admin; then
    loggedInUserIsAdmin="Yes"
fi

echo "<result>$loggedInUserIsAdmin</result>"

 with this script here:

https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh

I'm employing the former script to allow users to receive 30mins temp admin and it works great, with one exception.

If the user is already an Admin, the script strips admin rights after 30mins. Most likely this won't be a problem as the script is only available when provisioned to a specific user (after request) via self service, but, I'd like to figure out how to avoid it anyway in case the user doesn't know and the tech doesn't verify. 

Essentially I'm hoping to have the script check for Admin rights and only proceed with the temp grant if the user is not an Admin.

PS I'm a total noob at scripting. Still scouring the internet for good resources, so apologies for my noobness :)