Help

Easy way to find Open Directory users?

RLim945
New Contributor III

Posted on ‎06-14-2018 08:36 PM

We're trying to migrate away from Open Directory in our organization. We've already begun this by not binding any newly deployed computers to OD, but still have several that have already been deployed.

What would be a good way to identify what computers are still running with an OD user account? My hunch is to leverage an extension attribute and a smart group.. Any suggestions?

Labels:
0 Kudos
3 REPLIES 3

mm2270
Legendary Contributor III

Posted on ‎06-14-2018 09:14 PM

It's been a while since I've used Open Directory, but I believe it's similar to Active Directory, in that the UIDs of OD accounts are much higher than the UIDs of local accounts. For example, AD accounts typically start at 1000 and up (usually much higher than 1000 in fact) so OD is probably be the same. I don't know the range it starts from, but I'm betting you can find that info online with some searches.
Once you know what to look for, an EA that captures any user accounts on the Mac with UIDs at or above the OD range is possible.

Basic code to list accounts with UIDs above 1000:

dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}'

You would just need to make the necessary adjustment to that for the OD range, assuming it's different, then put it into an EA to echo back the results. From there, once your Macs start reporting in with new inventory to capture results, you should be able to run searches that pull up all Macs and have that EA as one of the displayed columns.

Hope that helps.

RLim945
New Contributor III

Posted on ‎06-15-2018 12:11 AM

Thanks! That's pretty much where I was heading. How exactly would I script this out into an EA? Unfortunately, I don't have much experience in scripting or the use of EA's quite yet.

I came up with something similar to get the value of the UID, but it's not returning anything (even though it returns the value I'm looking for when I run it locally in Terminal)

#!/bin/sh

lastUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`
userId=`sudo -u $lastUser id -u`

echo <result>"$userId"</result>

Any help would be greatly appreciated!

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎06-15-2018 09:50 AM

Hi. If you're going to do a id -u (which is actually a good idea now that you mention it) you shouldn't need to run it as the user. Instead of doing sudo -u just do

id -u $lastUser

That should work fine as the OS can pull the uid for users on the system without running the command as them.

I would also make sure the defaults command is actually pulling something to check against. In my experience that value in the plist is not always populated. So you might want to check that it returned something in the script before trying to do the id command against it.

0 Kudos