So... My predecessor had the bright idea give our users permanent admin privileges when they "called the help desk way too much"...
Does anyone have a method of searching for admin users that are NOT the admin users that all imaged Macs come with?
If no one has a way, I think I'll put through a feature request. Something along the lines of this as far as searchable options:
Computer has admin account (is/is like/not/not like) "Search Field"
Ryan (@rmanly) wrote up a little EA that could do this in this post:
https://jamfnation.jamfsoftware.com/discussion.html?id=3506
I just tried the EA that @rmanly posted in that article and had problems with it. I took out the "! *not*" in the if/then statement, and it seemed to work. Here's the changed script:
#!/bin/bash
list=()
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1}'); do
# if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) ! *not* ]]; then
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) ]]; then
list+=("${username}")
fi
done
printf "%s " "<result>${list[@]}</result>"
echoObviously, test, test, test before deploying.
Unfortunately the script is producing false positives for me. Their user appears in the EA field, but when I go to the Local User Accounts section I see that those users are not admins. I'll have to dig a little deeper and see if these users are part of the admin group, but not official admins.
write a script around dscl . -read /Groups/admin GroupMembership, grepping out known accounts...just an idea
LS
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.