Extension Attribute to show users

Cem
Valued Contributor

Thanks to Mr Larkin's awesomest script ever :) I have now managed to get
a report for Users and Macs by using Extension Attribute as below.

  1. Login to your JSS
  2. Settings
  3. Inventory Options
  4. Inventory Collection Preferences
  5. Extension Attributes
  6. Add Extension Attributes
  7. Input Type: Populated by Script
  8. Then copy and paste the script below in to "Mac OS X Script Contents" section

#!/bin/sh echo "<result>`dscl . -list /Users UniqueID |awk '$2 > 500 { print $1
}'`</result>"

  1. Click "OK"
  2. Click "Save"
  3. In Inventory create new Advance Search and in Display Fields select the Extension attribute that you have created.

Thanks again Tom

Cem

14 REPLIES 14

scottb
Honored Contributor

Thanks for (re)posting this! Works great! Thanks to Tom too for the script.

antoinekinch
New Contributor III

This is to display the list of admin users as an extension attribute for reporting correct?

mm2270
Legendary Contributor III

It reports all user accounts with UIDs above 500, not just admins.

frozenarse
Contributor II

Looks like it will list all non-hidden accounts regardless if they are admin or not.

edit: Mike beat me to the punch! :)

mm2270
Legendary Contributor III

Yeah, that's what I said.
Are you looking for an EA to report on only local admin accounts? I'm certain there are threads that detail how to do this already on here. If you can't locate them (very possible with the search system here) post back and I'll see if I can help.

agirardi
New Contributor II
If you can't locate them (very possible with the search system here) post back and I'll see if I can help.

Yeah I am actually looking for an extension attribute that will list any local admin account. Let me know if you found one.

tlarkin
Honored Contributor

Hi Everyone,

Looks like this was copied from the old Casper mailing list from way back in the day. As some people have pointed out, that snippet of code only lists users with a UID of greater than 500. I specifically was reporting for that, since all of my hidden user accounts (for IT, for non IT, for whatever) I already knew they were admin, and I knew they were under UID 500.

I have a better written EA I can share here:

#!/bin/bash

allUsers=$(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }')
checkAdmin=$(dseditgroup -o checkmember -m ${u} admin | awk '/yes/ { print $1 }')

for u in ${allUsers}; do
    if [[ ${checkAdmin} == 'yes' ]]
        then echo "<result>admin enabled</result>"
        else echo "<result>admin disabled</result>"
    fi
done

Again, I am only checking for users with a UID greater than 500. This should work in most environments, if it doesn't you could have to modify the script. Since dscl will return lots of users (like system daemons, services, etc) you can probably get false positives.

I am also starting to publish some of my examples on github. https://github.com/t-lark/example-EAs

I hope this helps answer your questions.

Thanks,
Tom

freddie_cox
Contributor III

We have several admin accounts that we use and not all of them are under 500. I wanted to get a report on admin users who weren't on the "approved" list so here is the extension attribute I use:

#!/bin/bash

# Get the Local Admin Users from DSCL
a=`dscl . -read /Groups/admin GroupMembership`

# Build an Array of the users
admins=($a)

# List the users I don't want to report on. Separate by space to add more.
ignore=(GroupMembership: administrator CasperAdmin CasperAdmin2 CasperAdmin3)

# Loop through the ignore array and trim them from the admin array
for i in "${ignore[@]}"; do
        admins=(${admins[@]//*$i*})
done

# Report Attribute back to Casper.
if [ ${#admins[@]} = 0 ]; then
        echo "<result>Admin Accounts OK</result>"
   else
        echo "<result>WARNING: ${admins[@]}</result>"
   fi

This will give me a list of "unapproved" admin accounts (Separated by spaces) in the EA so it's easy to see in searches.

E.g.: Admin Users:WARNING: Teacher JohnDoe

Hope this helps someone!

Sanchi
Contributor

Hi guys,

This is great. Could you advise on an EA that shows the number of non-admin users on a Mac - just in numerical form?

freddie_cox
Contributor III

@sancheeto If you just want a count, you can change the following line:

 echo "<result>WARNING: ${admins[@]}</result>"

to

        echo "<result>${#admins[@]}</result>"

That will just print a count of the elements in the array. Hope this helps!

cnoboa
New Contributor II

does anyone know if there is updated script? for some reason when entering these EA i get no information. Not sure what I am doing wrong, can anyone assist?

mm2270
Legendary Contributor III

@cnoboa This is sort of an old thread, but... Extension Attributes only report information once Macs start submitting inventory back to the JSS after the EA is set up in it. Given this fact, have any of your Macs reported in (sent in new inventory) since you set up the EA? If not, that would be why you aren't seeing any data.
You can run a quick manual recon on a Mac you have in your hands by doing sudo jamf recon in Terminal. Then go back to your JSS to check on that record to see if the data is there.

scottb
Honored Contributor

Just had to do this again since the client is not using any LDAP.
Not getting any data using the following (10.13.x Macs)

#!/bin/sh echo "<result>`dscl . -list /Users UniqueID |awk '$2 > 500 { print $1
}'`</result>"

Did a sudo Jamf manage, then sudo Jamf recon. Repeated a couple times and no data on the JSS (10.1.1).

Corry
New Contributor

How do I get this EA in an advanced searches to get a list of it in a report.