Jamf Nation Community

Matt · ‎04-04-2016

Hey guys I am writing a script to pull admin users from DSLC but to not include our services accounts for example

users=`dscl . -read /Groups/admin GroupMembership | grep "multiple" "users

How can I get grep to remove those so I can report all users except a few ?

Thanks.

mm2270 · ‎04-04-2016

So, there are certainly more efficient ways to do this than looking at the admin group in dscl, but I don't want to start diverting from the intent of your question. So, here's one way, maybe not the best way, but it works. Pipe the result through tr to convert the spaces between each name ' ' to a new line ' '.

Its very unlikely any local account names have spaces in them since the OS doesn't really allow it normally, i.e, you need to do something "special" to have an account shortname with a space in it.

dscl . -read /Groups/admin GroupMembership | tr ' ' '
'

You can then use grep or better, egrep to locate just the accounts you want since each name will be on its own line.

dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | egrep -o "administrator|casperadmin"
administrator
casperadmin

Edit: Sorry, I just re-read your post and see you want to exclude some accounts, not only look for some. The same process should work, but you will want to use egrep -v in this case. Using the above account names as examples, it might look like this.

dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | egrep -v "GroupMembership|administrator|casperadmin"

Note that you also need to egrep -v out the GroupMembership: line. You could also sed it away, but since you're already using grep its just easier to exclude it as well.

davidacland · ‎04-04-2016

Hi @Matt

I use a similar syntax: grep -v 'exclude1|exclude2|etc' which does the same thing.

Out of interest, what's the end goal?

apizz · ‎04-04-2016

I'd print the whole list minus the first line about group membership so you have a list of all accounts with admin privs and then create a smart group for those computers that aren't those specified accounts.

dscl . -read /Groups/admin GroupMembership | tr ' ' ' ' | sed 1d

sean · ‎04-05-2016

Unless you are 100% satisfied that the accounts you wish to remove from the report will never overlap with other user names, then grep should probably be avoided.

For example, imagine you wished to remove 'root' and 'admin', but user Sean Uproot 'suproot' should be your returned username

$ echo -e "root
admin
suproot"
root
admin
suproot
$ echo -e "root
admin
suproot" | egrep -v "root|admin"
$

As suproot contains root, this username has also incorrectly been removed from the list.

See this thread on listing Non Admins. There are also examples there that may be what you are after that do exact pattern matching.

davidacland · ‎04-05-2016

Good point. I could see Sean Uproot causing lots of IT departments problems! Along with Johnny Droptable ;)

mm2270 · ‎04-05-2016

@sean I would generally agree with you that grep can give false positives, or false negatives in some cases, and your point generally stands. However, just wanted to say that the problem can be avoided simply by enclosing each account name in the closing and ending line tags, which egrep or grep honor, which I'm sure you already know.

$ echo -e "root
admin
suproot" | egrep -v "^root$|^admin$"
$ suproot

I'll admit the above starts to look a bit ugly, but it still works. Other than that, the thread you linked to has other solutions, so in the end it may come down to preference.

I would also agree with @aporlebeke that, depending on the specific needs, it may make more sense to build an EA that simply captures all usernames that are admins, rather than trying to craft it to capture something specific.

sean · ‎04-05-2016

@davidacland

Yeah, I get the unlikeliness of that name overlap, but then I didn't realise you already knew what names he has used for his accounts he doesn't want to report on, name structure for their users and the knowledge that they will never employ anybody in the future or add another admin account that would have a name overlap :O

Just an example.

Facebook Uproot Query

No point scripting it if you don't care if the answer is correct or not :P

sean · ‎04-05-2016

@mm2270 Yeah, that egrep works. I kinda went with the option of match each user so you could chose to include, exclude, report both all in one and people could take what they wanted from it.

Matt · ‎04-05-2016

We have an audit happening and they aren't looking for data to look very specific, they are looking at the Macs as Macs and they wont let us our SCCM plugin. My goal is to do the following...

dscl . read /Groups/admin GroupMembership....

List users....

Remove known accounts from this list
service_whatever
casper_whatever
root

Unless there is another way to approach it. I know its really kludgy, its the only way we can run this report and they won't let us use any other methods. Which ever method is the best we plan on using this as an EA.

mm2270 · ‎04-05-2016

@Matt Looks to me like you've been presented with a couple of possible solutions here and on linked threads, so pick your poison :)

Matt · ‎04-05-2016

I'm testing these right now thanks for all the help guys. The SCCM plugin would have solved all of this!!! But hey, red tape!

tlarkin · ‎04-05-2016

Why not try dseditgroup?

dseditgroup -o checkmember -m tlarkin admin
yes tlarkin is a member of admin

can pipe to awk to grab either yes or no answer

dseditgroup -o checkmember -m tlarkin admin | awk '{ print $1 }'
yes

dseditgroup -o checkmember -m guest admin | awk '{ print $1 }'
no

From there you just need to build logic to grab all actual users on a device to see if they are an admin or not, and typically I do this by UID range.

Jamf Nation Community

Grepping DSLC Info