You could use configuration profile to disable the 'users & groups'.

Hi,

Thanks for your answer, are they still able to change there password in this section?

Thanks.

Once blocked, Users and Groups will be unaccessible.

@txhaflaire you could have them change their password in System Preferences-> Security & Privacy

@Johnny.Kim Thanks, we have deployed the mobileconfig but when using ADPASSMON and they use change password the still are able to come in the pane.

@osxadmin Thanks for your reply!

There's a few other ways the users could create accounts if they really wanted to. sysadminctl and dscl could both do it from the terminal.

Not sure how technical the users are so this might not be an issue.

I would probably go with blocking the users and groups preference pane as a "deterrent" on the understanding that there are other ways they could get around it.

Any other solutions I can think of would be quite "hacky".

@davidacland Thank you for your reply !

Hi,

One way to monitor whether the user has made use of those commands might be to set up a extended attribute to count the number of local accounts, including invisible and service accounts, via a dscl call, and then subtract all known legitimate service accounts from that count.

Your remaining count should then be two - the local admin account and the legitimate user account. You could even take two off that to get a good result of 0.

Any machines which return above 0 are then visible together in a smart group as "out of security policy".

I think something like that would work, but I don't quite have time to bash it out myself this moment, if anyone wants to run with it, or is it flawed as an idea?

@txhaflaire you're going to want to move away from ADPassMon per macmule's blog post - https://macmule.com/2017/04/01/adpassmon-is-dead-long-live-nomad/#more-2662 - as it is no longer being maintained.

We were using ADPassMon as well, but are in process of moving to NoMAD.