Jamf Nation Community

This is to display the list of admin users as an extension attribute for reporting correct?

It reports all user accounts with UIDs above 500, not just admins.

Looks like it will list all non-hidden accounts regardless if they are admin or not.

edit: Mike beat me to the punch! :)

Yeah, that's what I said.
Are you looking for an EA to report on only local admin accounts? I'm certain there are threads that detail how to do this already on here. If you can't locate them (very possible with the search system here) post back and I'll see if I can help.

If you can't locate them (very possible with the search system here) post back and I'll see if I can help.

Yeah I am actually looking for an extension attribute that will list any local admin account. Let me know if you found one.

Hi Everyone,

Looks like this was copied from the old Casper mailing list from way back in the day. As some people have pointed out, that snippet of code only lists users with a UID of greater than 500. I specifically was reporting for that, since all of my hidden user accounts (for IT, for non IT, for whatever) I already knew they were admin, and I knew they were under UID 500.

I have a better written EA I can share here:

#!/bin/bash

allUsers=$(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }')
checkAdmin=$(dseditgroup -o checkmember -m ${u} admin | awk '/yes/ { print $1 }')

for u in ${allUsers}; do
    if [[ ${checkAdmin} == 'yes' ]]
        then echo "<result>admin enabled</result>"
        else echo "<result>admin disabled</result>"
    fi
done

Again, I am only checking for users with a UID greater than 500. This should work in most environments, if it doesn't you could have to modify the script. Since dscl will return lots of users (like system daemons, services, etc) you can probably get false positives.

I am also starting to publish some of my examples on github. https://github.com/t-lark/example-EAs

I hope this helps answer your questions.

Thanks,
Tom

We have several admin accounts that we use and not all of them are under 500. I wanted to get a report on admin users who weren't on the "approved" list so here is the extension attribute I use:

#!/bin/bash

# Get the Local Admin Users from DSCL
a=`dscl . -read /Groups/admin GroupMembership`

# Build an Array of the users
admins=($a)

# List the users I don't want to report on. Separate by space to add more.
ignore=(GroupMembership: administrator CasperAdmin CasperAdmin2 CasperAdmin3)

# Loop through the ignore array and trim them from the admin array
for i in "${ignore[@]}"; do
        admins=(${admins[@]//*$i*})
done

# Report Attribute back to Casper.
if [ ${#admins[@]} = 0 ]; then
        echo "<result>Admin Accounts OK</result>"
   else
        echo "<result>WARNING: ${admins[@]}</result>"
   fi

This will give me a list of "unapproved" admin accounts (Separated by spaces) in the EA so it's easy to see in searches.

E.g.: Admin Users:WARNING: Teacher JohnDoe

Hope this helps someone!

Hi guys,

This is great. Could you advise on an EA that shows the number of non-admin users on a Mac - just in numerical form?

@sancheeto If you just want a count, you can change the following line:

 echo "<result>WARNING: ${admins[@]}</result>"

to

        echo "<result>${#admins[@]}</result>"

That will just print a count of the elements in the array. Hope this helps!

does anyone know if there is updated script? for some reason when entering these EA i get no information. Not sure what I am doing wrong, can anyone assist?

@cnoboa This is sort of an old thread, but... Extension Attributes only report information once Macs start submitting inventory back to the JSS after the EA is set up in it. Given this fact, have any of your Macs reported in (sent in new inventory) since you set up the EA? If not, that would be why you aren't seeing any data.
You can run a quick manual recon on a Mac you have in your hands by doing sudo jamf recon in Terminal. Then go back to your JSS to check on that record to see if the data is there.

Just had to do this again since the client is not using any LDAP.
Not getting any data using the following (10.13.x Macs)

#!/bin/sh echo "<result>`dscl . -list /Users UniqueID |awk '$2 > 500 { print $1
}'`</result>"

Did a sudo Jamf manage, then sudo Jamf recon. Repeated a couple times and no data on the JSS (10.1.1).