+9Do you guys use firmware passwords? We've had a few users boot to single user mode so they can create a new admin account on their computers.
In Casper, how could I search for any Macs that have an admin account other than the ones I created?
- jamie
+24We use EFI passwords to prevent users from using the boot selector or single user mode and a number of other things. If you really want to prevent tampering from curious types, you'll need to do it.
Also, try this script as an Extension Attribute, just change the "administrator" and "sysadmin" to reflect any names of your known local admins. Be careful though. If you grep for a generic term like "admin" it could end up excluding any accounts someone created such as "myadmin" There's a way to make sure you;re getting exact matches, but it escapes me at the moment. Hopefully your local admin accounts aren't too similar to anything a user may have created.
#!/bin/sh
## Get list of users other than known admins
userList=$(/usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/egrep -v administrator|sysadmin)
## Cycle through each and determine admin status
for i in $userList; do
if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk {'print $1'}` = "yes" ]]; then
/bin/echo "<result>$i is an admin</result>"
else
/bin/echo "<result>No extra admins found</result>"
fi
doneEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.