Posted on 03-21-2013 07:32 AM
Is there a script or process that you can push from the JSS that shows you who is a Administrator on their Mac? If I have 2,000 users and maybe I gave them admin access for some reason and forgot to take it back how can I tell without going to each machine?
Solved! Go to Solution.
Posted on 03-21-2013 07:58 AM
I've got an extension attribute that reports this information:
Posted on 03-21-2013 07:38 AM
If you look at the "Details" of a computer, on the lefthand side there is an entry for "Local User Accounts". Listed on the right are the local accounts on the machine and a field labeled "Admin" will have a true/false entry. If you're looking for a scriptable way to do this, possibly to make an extension attribute, you can use the following snippet to grab the local group membership.
#!/bin/sh
dscl . -read /Groups/admin GroupMembership
Posted on 03-21-2013 07:58 AM
I've got an extension attribute that reports this information:
Posted on 03-21-2013 08:14 AM
Thanks!
Posted on 03-21-2013 10:41 AM
@rtouton can you post your results? When I run a inventory report with this attribute checked I get nothing and I know I have several machines where users are admin. Maybe I am doing something wrong.
Posted on 03-21-2013 10:55 AM
Neal,
Not sure what to tell you, they're working for me. When you check the Local User Accounts section of the inventory for the machines in question, are the user accounts in question listed as Admin: true? That's a separate check that Casper makes as part of gathering inventory info.
Any non-admin accounts should be listed as Admin: false
Posted on 03-21-2013 10:57 AM
Are you sure the Macs have run an inventory submission back to your JSS? Any Extension Attribute will only populate data when the clients submit a report. Otherwise it would just be blank right after you've added it to your server.
Posted on 03-21-2013 11:35 AM
My UID are in the thousands because they are managed (AD) accounts so the UID > 500 is probably different for me. So I am looking for managed accounts that have admin rights.
Posted on 03-21-2013 11:45 AM
No, that line should gather all accounts on the Mac that are above UID 500, meaning everything from a local 501 admin user all the way up to infinity (more or less) It should absolutely be grabbing your AD user accounts, unless you don't have them set up as cached local home folders. That might be the only time it wouldn't work right, and I'm not even certain about that.
You could always adjust Rich;s script to simply capture everything from UID 1000 and up, but I wouldn't recommend it. You may want to know about any local admin accounts that happened to have been created, either by you or a user who figured out a way to add one.
Posted on 03-21-2013 11:48 AM
I ran the above script on my Mac with AD Mobile accounts and it finds all the admins. User ID is over 150000.
I have not run it within Casper though, just manually to test it.
Posted on 03-21-2013 11:54 AM
I run an extension attribute that checks # of admin accounts on a machine. I know on a standard machine how many admin accounts are on there, and create a smart group that says for any number larger than my standard, send me an email. I can then check local accounts in JSS to see what's going on with that machine.
#!/bin/sh
result=`dscl . -read /Groups/admin | grep GroupMembership | awk -F "[':']" '{print $2}' | sed 's/^.//' | tr " " "
" | wc -l`
echo "<result>$result</result>"
Posted on 03-21-2013 12:04 PM
After seeing this post, I added rtrouton's EA to our JSS and then ran 'sudo jamf recon' on one my devices to obtain the latest inventory.
It's correctly showing both admin accounts. One is local and the other is a AD mobile account. We manually set the mobile User account to be an admin and do not do use a AD group to determine admin accounts.
Posted on 03-21-2013 12:20 PM
Ok I got it to work in terminal but for some reason in extended attributes after creating it like Rich did in his example it will not give me results when I check inventory on all Macs.
Posted on 03-21-2013 12:41 PM
Maybe it will post after it does inventory on all machines since I added it. I will check after that.
Posted on 03-21-2013 12:56 PM
Neal, you should be able to check if its working before all your Macs inventory. Just target one managed Mac and do a sudo jamf recon on it, or do the same command from Casper Remote in the Advanced > Run Command field (minus sudo)
Then go back and pull up the current inventory on that Mac and check the Extension Attribute to see what it pulled in.
Of course you'd want to make sure you're doing that against a Mac that you know has at least one local admin account on it or you'll still get no results.
Posted on 02-24-2020 12:09 AM
@rtrouton Thank you for the wonderful EA! This will totally help us do some clean up:)