- Jamf Nation Community
- Products
- Jamf Pro
- Extension Attribute for Checking AD vs. Local User
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 09:18 AM
I need an extension attribute to check if the logged in user (or any user) on a given machine is an AD user. We are trying to weed out users who are not authenticating against AD. We are using mobile accounts. Here is what I have at this point:
#!/bin/sh
result=$(ls -al /Users/ | grep Domain | awk '{print $4}')
if [ "$result" == "MYDOMAINDomain" ]; then
result="AD User"
else
result="Local User"
fi
echo "<result>$result</result>"
exit 0
However, I see there are some users who slipped through who have authenticated, probably because they are logged in as local users but have authenticated to AD in the past (?).
I could also test against users who are over 600 users by running:
dscl . -list /Users UniqueID
and filtering out users under 600, but am unclear on how to do that filtering.
In any scenario, there is probably a more graceful way of doing this, and am wondering if anyone has any suggestions?
Thanks.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 11:51 AM
The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.
dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 11:15 AM
There are a few threads here already with some sample scripts for EAs you can look at. Getting the Unique ID is one method, but as has been pointed out by some folks, its possible for a user to spoof that if they know how to and are so inclined.
Someone posted a good command to use to verify if the account is actually from a directory service and not local, despite any report of the UID. I'll have to find that thread and post back here with the link, because I don't remember now what was mentioned in the thread..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 11:51 AM
The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.
dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 11:53 AM
Yeah, I was just about to post a link to this thread, which you provided an answer for @ctangora
https://jamfnation.jamfsoftware.com/discussion.html?id=10179
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 11:55 AM
Didn't catch that post, I will check it out, thanks much.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 12:19 PM
It's tough to beat you to a post @mm2270.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2014 12:27 PM
I'd suggest grabbing the UniqueID & then looking it up against AD.
Part of the below script grabs the UniqueID of a users account on AD.
All you'd need to is get the logged users uniqueID & then look for the user on AD.
Should be pretty difficult for the users to get around.
http://macmule.com/2013/02/18/correct-ad-users-home-mobile-home-folder-permissions/
