How to check if user is a admin

jszaszvari
New Contributor III

Hi All

I'm trying to simply write a script that will check if the currently logged in user is a admin.

I can get a list of admins by running

'dscl . read /Groups/admin | grep GroupMembership'

And I know when running a script through casper $3 is the user that’s logged in – I'm just having a issue putting it all together.

It might be better as an extension attribute though, Maybe a "Logged in user is admin" and the script can return a yes or no.

Can any scripting gurus provide any assistance? :)

Any help would be appreciated.

Regards
John

7 REPLIES 7

tlarkin
Honored Contributor

Something like this might work

#!/bin/bash

#grab all users over UID 500

UserList=`/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500
{ print $1 }'`

#loop and check group membership

for u in ${UserList} ; do if [[ /usr/bin/dscl . read /Groups/admin GroupMembership |
/usr/bin/grep - c $u == 1 ]] then /bin/echo "$u is in the admin group" else /bin/echo "$u is not in the admin group" fi done

exit 0

Not applicable

John,

You can always look in the details of the computer for the "Local User Accounts" and that will show if a user is an admin or not. I have an extension attribute that I use to get me the list of all the user accounts that are members of the Admin group.
Edit the "print" part to your liking I have it this way for computers that have over five accounts on them, it doesn't effect the outcome if there is only one or two accounts on the computer.
I have tried building a report in the JSS based on this extension attribute but the "not Like", and "not" filters don't work right now. Jamf has told me they know of this issue and are working on it.

Sean

Admin=dscl . -read /Groups/admin GroupMembership | awk '{print $2, $3, $4, $5, $6, $7, $8, $9}'

#Output for extension attribute
echo '<result>'$Admin'</result>'

Not applicable

Since groups can be nested and can come from other domains, looping through dscl output may report false negatives (report members as non-members. Much more efficient and reliable to use dseditgroup.

dseditgroup -o checkmember -m <username> <groupname>

or more specifically

dseditgroup -o checkmember -m <username> admin

Armin

tlarkin
Honored Contributor

Yeah I don't use AD and often forget this. If you are a mixed
environment dseditgroup can be more efficient, but if you are pure OD
then dscl will work just fine

sean
Valued Contributor

id should work just fine regardless

#!/bin/bash

thisUser=/usr/bin/stat -f%Su /dev/console
usersGroups=/usr/bin/id -Gn $thisUser

if [[ "$usersGroups" =~ "80(admin)" ]]
then /bin/echo $thisUser" - Admin"
else /bin/echo $thisUser" - Staff"
fi

Sean

tlarkin
Honored Contributor

You sure that will work with AD users and the admin AD plug in stuff? I don't use AD so I wouldn't know but from what I read on other mailing
lists it puts those users in domain admins or something different, so
they probably won't be in group 80.

Can anyone confirm this is correct or not?

sean
Valued Contributor

Yeah, you may need to change it, depending on your setup, but anyone created as a local admin user will show as group 80 be they a network user (AD, etc) or otherwise. If you want different group numbers or names its easy enough to change or add further 'if's. I imagined he wasn't looking for network admins. I was thinking he wanted to find out which users had been configured on which machines as admins. This was really just a base to build from.

You could use:

usersGroups=/usr/bin/id -G $thisUser

if [[ "$usersGroups" =~ " 80 " ]]

or depending on how it reports back, maybe

usersGroups=/usr/bin/id -Gn $thisUser

if [[ "$usersGroups" =~ " admin " ]]

For John's benefit, you can OR if statements too with double pipe:

if [ x = y ] || [ y = Z ]

So if it turns out there are 2 user groups you are after you could use that.

Sean