Jamf Nation Community

Thanks!

@rtouton can you post your results? When I run a inventory report with this attribute checked I get nothing and I know I have several machines where users are admin. Maybe I am doing something wrong.

Neal,

Not sure what to tell you, they're working for me. When you check the Local User Accounts section of the inventory for the machines in question, are the user accounts in question listed as Admin: true? That's a separate check that Casper makes as part of gathering inventory info.

Any non-admin accounts should be listed as Admin: false

Are you sure the Macs have run an inventory submission back to your JSS? Any Extension Attribute will only populate data when the clients submit a report. Otherwise it would just be blank right after you've added it to your server.

My UID are in the thousands because they are managed (AD) accounts so the UID > 500 is probably different for me. So I am looking for managed accounts that have admin rights.

No, that line should gather all accounts on the Mac that are above UID 500, meaning everything from a local 501 admin user all the way up to infinity (more or less) It should absolutely be grabbing your AD user accounts, unless you don't have them set up as cached local home folders. That might be the only time it wouldn't work right, and I'm not even certain about that.

You could always adjust Rich;s script to simply capture everything from UID 1000 and up, but I wouldn't recommend it. You may want to know about any local admin accounts that happened to have been created, either by you or a user who figured out a way to add one.

I ran the above script on my Mac with AD Mobile accounts and it finds all the admins. User ID is over 150000.
I have not run it within Casper though, just manually to test it.

I run an extension attribute that checks # of admin accounts on a machine. I know on a standard machine how many admin accounts are on there, and create a smart group that says for any number larger than my standard, send me an email. I can then check local accounts in JSS to see what's going on with that machine.

#!/bin/sh
result=`dscl . -read /Groups/admin | grep GroupMembership | awk -F "[':']" '{print $2}' | sed 's/^.//' | tr " " "
" | wc -l`

echo "<result>$result</result>"

After seeing this post, I added rtrouton's EA to our JSS and then ran 'sudo jamf recon' on one my devices to obtain the latest inventory.

It's correctly showing both admin accounts. One is local and the other is a AD mobile account. We manually set the mobile User account to be an admin and do not do use a AD group to determine admin accounts.

Ok I got it to work in terminal but for some reason in extended attributes after creating it like Rich did in his example it will not give me results when I check inventory on all Macs.

Maybe it will post after it does inventory on all machines since I added it. I will check after that.

Neal, you should be able to check if its working before all your Macs inventory. Just target one managed Mac and do a sudo jamf recon on it, or do the same command from Casper Remote in the Advanced > Run Command field (minus sudo)
Then go back and pull up the current inventory on that Mac and check the Extension Attribute to see what it pulled in.

Of course you'd want to make sure you're doing that against a Mac that you know has at least one local admin account on it or you'll still get no results.

@rtrouton Thank you for the wonderful EA! This will totally help us do some clean up:)