generate list of admins without relying on UID above 500

Eyoung
Contributor

I am trying to get a usable list of who is an admin on a given set of machines. Should be easy... run an extension attribute for anyone above 500 and BAM.. but these are AD mobile accounts so the UID is 10 digits long. See the example from a record below. I can look at an individual record and see that there is a field marked admin that is correctly populated. Ive been working with JAMF support and they claim there is no way to use that field to generate any sort of usable output... a smart list, .csv anything!

Anyone know of a way to pull that "admin" field out of the JSS? or create an exention attrubute that will give me the admins on a system without relying on UID's above 500?

thank you.

EXAMPLE: name has been changed to protect the annoying little F(redacted)
Local User Accounts
UID Username Full Name Admin Home Directory Size Legacy FileVault Enabled FileVault 2 Enabled
501 admin administrator Yes /Users/admin 28 MB No No
502 admin2 admin2 Yes /Users/admin2 12.0 GB No No
1217078761 the_students-name Theusername Yes /Users/the_kids_directory 18.0 GB No No

1 ACCEPTED SOLUTION

kendalljjohnson
Contributor II

I use an EA to find any admin account, that doesn't include our standard admin account/management account. From there, you can create a smart group for admin account that isn't blank.

#!/bin/sh

accounts=$(dscl . -read /Groups/admin GroupMembership | tr " " "
" | grep -v "GroupMembership:" | grep -v "admin" | grep -v "root"  | grep -v "jamfmanager" | grep -v "_mbsetupuser")

echo "<result>$accounts</result>"

View solution in original post

5 REPLIES 5

davidacland
Honored Contributor II
Honored Contributor II

You can get that info from the computer record using the API. For each local account it has an "administrator" tag like <administrator>true</administrator> or <administrator>false</administrator>.

You could also create an EA that shows admins. I'd probably use dseditgroup to check membership on the admins groups.

kendalljjohnson
Contributor II

I use an EA to find any admin account, that doesn't include our standard admin account/management account. From there, you can create a smart group for admin account that isn't blank.

#!/bin/sh

accounts=$(dscl . -read /Groups/admin GroupMembership | tr " " "
" | grep -v "GroupMembership:" | grep -v "admin" | grep -v "root"  | grep -v "jamfmanager" | grep -v "_mbsetupuser")

echo "<result>$accounts</result>"

View solution in original post

Eyoung
Contributor

thanks for the responses 🙂

for your command, kendalljjohnson, I think I have it right... in that I get expected results if I run it manually. I Think the EA will have to bake a while for results...

The smart group would be set to look for not like as the Boolean and just a blank field?

kendalljjohnson
Contributor II

Correct.

You can do a smart group for the EA "is not" blank to know which computers apply. I also have a saved Advanced Computer Search for computers that apply, and then display the Computer Name and the EA of the Admin Accounts so I can see the usernames that are admin for those machines.

16c365fc434d4b2ead5d3812f610e974

geoffrepoli
Contributor

something similar but smaller:

dscl . read /groups/admin GroupMembership | cut -c18- | sed -E 's/root ?//;s/excludedAdmin1 ?//';s/excludedAdmin2 ?//'