Extension Attritute: Checking for local user account level - not working

SV_JamfTech
New Contributor II

Hello Jamf Community! 

I'm making an extension attribute that basically tracks if a local user is at the Standard level or Admin level. I've ran the script in 2 test macs in our environment where one Mac is a Standard account and the other is an Admin account. For whatever reason, the extension attribute will always resort to "Admin" as the result. I've tried several things to trouble shoot this. Here's what I've done. 

 

  • Originally the elif statement was an else statement 
  • I've switched the if statements where it would be != 'Yes', is_admin would be No. and vice versa. 
  • I've ensured these script worked by running the script in terminal for both test macs, and they should work. 

 

Not too sure what is going on and I'm thinking it's just my jamf environment now. Does anybody have suggestions on what might be going on? 

 

#!/bin/bash

result=''
# Get the current logged-in user
current_user=$(whoami)

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

 

2 ACCEPTED SOLUTIONS

stevewood
Honored Contributor II
Honored Contributor II

The jamf binary runs as root, so you are essentially checking if the root user is an admin. Instead of using 'whoami' to get the current user, you need to do it differently. This should work:

#!/bin/bash

current_user=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

View solution in original post

AntMac
Contributor II

Edit: sorry I had this in draft as I was doublechecking. Essentially the same as the other answer. 
Maybe changing the line to determine current logged on might work a little better? Seems to work fine in my environment with this changed but your mileage may vary. 

 

#!/bin/bash

result=''
# Get the current logged-in user
current_user=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

 

 

View solution in original post

3 REPLIES 3

stevewood
Honored Contributor II
Honored Contributor II

The jamf binary runs as root, so you are essentially checking if the root user is an admin. Instead of using 'whoami' to get the current user, you need to do it differently. This should work:

#!/bin/bash

current_user=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

AntMac
Contributor II

Edit: sorry I had this in draft as I was doublechecking. Essentially the same as the other answer. 
Maybe changing the line to determine current logged on might work a little better? Seems to work fine in my environment with this changed but your mileage may vary. 

 

#!/bin/bash

result=''
# Get the current logged-in user
current_user=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')

# Check if the current user is an admin
is_admin=$(dseditgroup -o checkmember -m "$current_user" admin | awk '{print $1}')

# Print the user's role
if [[ "$is_admin" == "yes" ]]; then
	result="Admin"
elif [[ "$is_admin" == "no" ]]; then
	result="Standard"
fi

echo "<result>$result</result>"

 

 

SV_JamfTech
New Contributor II

Looks like both recommendations seem to have fixed the issue! Thank you @stevewood and @AntMac !!