Extension Attribute for Checking AD vs. Local User

Philsto
New Contributor II

I need an extension attribute to check if the logged in user (or any user) on a given machine is an AD user. We are trying to weed out users who are not authenticating against AD. We are using mobile accounts. Here is what I have at this point:

#!/bin/sh

result=$(ls -al /Users/ | grep Domain | awk '{print $4}')

if [ "$result" == "MYDOMAINDomain" ]; then
result="AD User"
else
result="Local User"
fi

echo "<result>$result</result>"

exit 0

However, I see there are some users who slipped through who have authenticated, probably because they are logged in as local users but have authenticated to AD in the past (?).

I could also test against users who are over 600 users by running:

dscl . -list /Users UniqueID

and filtering out users under 600, but am unclear on how to do that filtering.

In any scenario, there is probably a more graceful way of doing this, and am wondering if anyone has any suggestions?

Thanks.

1 ACCEPTED SOLUTION

ctangora
Contributor III

The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.

dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor III

There are a few threads here already with some sample scripts for EAs you can look at. Getting the Unique ID is one method, but as has been pointed out by some folks, its possible for a user to spoof that if they know how to and are so inclined.
Someone posted a good command to use to verify if the account is actually from a directory service and not local, despite any report of the UID. I'll have to find that thread and post back here with the link, because I don't remember now what was mentioned in the thread..

ctangora
Contributor III

The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.

dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"

mm2270
Legendary Contributor III

Yeah, I was just about to post a link to this thread, which you provided an answer for @ctangora
https://jamfnation.jamfsoftware.com/discussion.html?id=10179

Philsto
New Contributor II

Didn't catch that post, I will check it out, thanks much.

ctangora
Contributor III

It's tough to beat you to a post @mm2270.

bentoms
Release Candidate Programs Tester

I'd suggest grabbing the UniqueID & then looking it up against AD.

Part of the below script grabs the UniqueID of a users account on AD.

All you'd need to is get the logged users uniqueID & then look for the user on AD.

Should be pretty difficult for the users to get around.

http://macmule.com/2013/02/18/correct-ad-users-home-mobile-home-folder-permissions/