how to check if user is a local or AD user?

jhuls
Contributor III

I'm working on a shell script for a project that needs to detect in it if the logged in user is a local or AD account. Can someone point me in the right direction?

13 REPLIES 13

spraguga
Contributor

jhuls
Contributor III

Thanks!

If the uid information presented could be relied upon then I think I could make that work but it sounds like it's easy for someone to change it.

The other method that lists the users doesn't seem to work in El Capitan.

Due to our environment I could probably rely on the uid but it would be nice if there was a more foolproof method.

mm2270
Legendary Contributor III

In my scripts I look for a specific key in their local cached account with dscl called "OriginalAuthenticationAuthority" Local accounts do not have this key, but AD cached mobile accounts will.

#!/bin/sh

loggedInUser=$(stat -f%Su /dev/console)

accountCheck=$(dscl . read /Users/$loggedInUser OriginalAuthenticationAuthority 2>/dev/null)

if [ "$accountCheck" != "" ]; then
     echo "User $loggedInUser is an AD account"
else
     echo "User $loggedInUser is a local account"
fi

spraguga
Contributor

@jhuls I wouldn't rely on UID as mentioned in the post I provided. Those commands are working in El Cap.

I've also seen in testing if a mobile account is deleted and then you add a local account with the same username it can pick up the old network UID. So beware of that!

jhuls
Contributor III

@mm2270 I just copied/pasted that script to a machine and ran it with a user account(mine) that is a domain account. It came back saying that my account was local. This is on El Capitan with the Create mobile account at login unchecked.

mm2270
Legendary Contributor III
This is on El Capitan with the Create mobile account at login unchecked.

Well, that's why. I specifically said this works for cached AD mobile accounts. If you're only logged in with an AD network account, then I can't help there. I'm not sure how to know the account is AD based in that case, but I'd imagine there's some way. But the bigger question is, why are you not using cached mobile accounts?

jhuls
Contributor III

@mm2270 I know you mentioned that but sometimes I find people being specific has more to do with what their environment calls for and not so much that it only applies to that hence why I was specific with how I responded. At any rate on a day with a bit more sleep I might have put two and two together...sorry for the hassle.

As for why we're not using mobile accounts...I inherited machines configured that way but in all fairness I didn't know any better when I took over. Once I learned more about it we've been slowly converting machines over but it's a slow process and has been a low priority so I try to test against both when I think it might apply(like this). Hopefully this summer we'll get them finished up.

I appreciate the help. Unfortunately it looks like I can't use this at this time but I'll certainly file it away for future use. Unless there's a better method UID's might be my only choice if I want something that works consistently between everything even if it's not advisable. Of course I've not tested that yet so I'm crossing fingers.

jhuls
Contributor III

@spraguga Thanks for the tip! I don't see that happening here but it's good to know.

mm2270
Legendary Contributor III

I wish I had a non-cached AD account I could test against here. I have a feeling there must be some way to check the account in the command line and determine if its a network account or not, but again, I don't know. Maybe someone else will chime in who also uses network accounts and can help guide you there.

I think for now, UID value may be the way to go, and honestly, unless you have some savvy users who are somehow looking to get around things, I doubt most users are going to spoof the UID value on their local account. To make it a little more reliable, you could check to see what range your AD accounts start at, and make sure the UID value is at least in that range. For example, most folks use 1000 and up as the basis for the check, but here, our AD account UIDs start at a much higher number, like 100,000,000 or something insane like that.

jhuls
Contributor III

@mm2270 Hmmm...that brings up a question then...how would someone define what UID range is used?

mm2270
Legendary Contributor III

I think that question would need to be directed at whoever manages AD for you. I have a feeling its a setting in AD as to what range the account UIDs get set to.

Or, did you mean, how would you check the UID in a script to see if it falls into that range?

jhuls
Contributor III

I meant regarding AD. I found that I can use "id -u" to grab the uid of a user so I figure I should be able to whip a simple script to check against that. I'll have to look into the uid range although I'm guessing our network staff has it left at the default.

davidacland
Honored Contributor II

In case it helps, I've used this code in the past to check:

isUserLocal=$(dscl /Search -read /Users/$USER | grep AppleMetaNodeLocation | cut -d / -f 2)

if [[ $isUserLocal == Local ]] ;
then
exit 1  # If they are Local then exit
else
exit 0
fi