Posted on 03-26-2017 10:17 PM
Hi all,
Would any of you have a method to find out via Casper JSS which local user has admin rights or not?
Usually, I would have to click on each computer within inventory, then select "Local User Accounts" , then I would find out if a local user has admin set to yes or no.
We are about to audit around 550 Macbooks, I don't want to click on each Macbook to find out.
Thanks in advance.
Posted on 03-26-2017 11:16 PM
Have you done any searches here yet? I ask because there are probably about 5 or 6 different threads here that discuss doing this, usually with the addition of a new Extension Attribute. If you haven't done so already, do some searches for these threads. I'm sure you'll pull them up.
Posted on 03-27-2017 04:00 AM
SQL Query:
SELECT b.computer_name AS 'Computer Name', username AS 'User Name', realname, admin AS 'Local Admin'
FROM jamfsoftware.user_receipts a INNER JOIN jamfsoftware.computers b ON a.computer_id = b.computer_id
ORDER BY b.computer_name, username;
Posted on 03-27-2017 04:37 AM
We use an Extended Attribute for this based on the following script (which I'm sure I found on Jamf), then just run a search when required
list=()
for username in $(dscl . list /Users UniqueID | awk '$2 > 499 { print $1 }'); do
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != not ]]; then
list+=("${username}")
fi
done
echo "result>${list[@]}</result"
And for a PC
computername = createobject("wscript.network").computername
set group = getobject("WinNT://" & computername & "/administrators,group")
s = ""
for each account in group.members
s = s & account.name & vbcrlf
next
WScript.Echo "<result>" & s & "</result>"
Posted on 03-27-2017 05:02 AM
Here's my take on it. I have an extension attribute which searches for members of admin group, and lists them... omitting the root & yourjamf management accounts.
#!/bin/bash
groupmember=$(dscl . -read Groups/admin GroupMembership | cut -c 18- | sed -E -e 's/(root|yourjamfmanagementaccount)//g')
echo "<result>$groupmember</result>"
exit 0
Then i have a smart group that checks this extension attribute for not like "blank". Enable the check for email notifications on group membership so i am notified when any changes occur.
Posted on 03-27-2017 05:41 AM
Hey @Bernard.Huang ,
I threw this one together for you. Give it a whirl and tell me how you get on!
#!/bin/sh
local-admin-users=$(dscacheutil -q group -a name admin | grep "users" | sed -e 's/users: //g' -e 's/
oot //g' -e 's/your-admin-user-here //g' )
echo "<result>$local-admin-users</result>"
Posted on 03-27-2017 10:08 AM
I've been using the same method that @KarmaIT mentioned. Actually, I've been using that exact EA so perhaps we got it from the same person! The good news is that it works great!
Posted on 03-26-2018 05:58 AM
@Chris_Hafner @KarmaIT I'm trying this out but the results are showing mobile AD accounts as well as admin accounts. Below is what I copied from the above EA. I'm sure this has something to do with the high numbers assigned to AD accounts so I may need to tweak the EA further.
#!/bin/bash
list=()
for username in $(dscl . list /Users UniqueID | awk '$2 > 499 { print $1 }'); do
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != not ]]; then
list+=("${username}")
fi
done
echo "<result>${list[@]}</result>"
Gabe Shackney
Princeton Public Schools
Posted on 03-26-2018 07:35 AM
NM,
Using @jaz 's EA and it seems to be doing the trick. (I'm not sure the EA likes the hyphens in local-admin-users so i just named this variable adminusers and it worked normally.
Gabe Shackney
Princeton Public Schools
Posted on 03-26-2018 07:38 AM
@gshackney Change the dscl line to
dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 1000 { print $1 }'
That should grab only local users with UIDs between 501 and 999, which excludes cached AD mobile accounts.
Posted on 03-28-2018 05:34 AM
See: @mm2270 is the MAN!
Posted on 03-28-2018 05:36 AM
Thanks @mm2270 !
Love jamfnation!
Gabe Shackney
Princeton Public Schools
Posted on 05-27-2020 09:03 AM
I was tried in locally running the script but the Extension Attribute not working getting blank result only
Posted on 05-05-2021 10:59 AM
Based on reading the Check for Admin Accounts EA by @mm2270 , I see that the positive value return is "yes" in the script. However, when I use that I hit no returns. Caveat: we have two local admin accounts on every user machine - a local admin we use for silent installs among other things, and security widget for compliance. Ideally, I'd be able to adjust the EA script to account for these two accounts and not return them in results (otherwise the script returns all machines and not just those with Admin machines. I am not a scripter, per se, and wonder if anyone knows how to adjust the script to ignore our two local accounts?
Posted on 05-05-2021 11:32 AM
@thellum I'm not sure which script you're referring to, since this is an older thread, but if you're using the one from @gshackney, you can exclude any of your local admin accounts from being checked by including an egrep -v
to it and adding the accounts in separated by vertical pipes, |
Here's the EA I'm using to get local admin accounts that excludes any of our known ones.
#!/bin/sh
## A list of the known local admins to be excluded
known_admins="ITAdmin|admin"
## Initialize array
admin_list=()
for username in $(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 500 {print $1}' | egrep -v "${known_admins}"); do
if [[ $(/usr/sbin/dseditgroup -o checkmember -m "$username" admin | grep "^yes") ]]; then
## Any reported accounts are added to the array list
admin_list+=("${username}")
fi
done
## Prints the array's list contents
if [[ "${admin_list[@]}" != "" ]]; then
echo "<result>${admin_list[@]}</result>"
else
echo "<result>[ None ]</result>"
fi
Just change where it says "ITAdmin|admin"
to include the couple of accounts you'd like to skip. Note the vertical pipe character between the 2 names like I mentioned.
Posted on 08-09-2021 08:57 AM
Hi @mm2270 ,
Hope you're doing well! QQ for you, I'm trying to use your script for the EA in an advanced computer search and also a Smart computer group, however, out of 130 devices only 1 local user account shows up and none of the rest come up at all. Any ideas on what I'm doing wrong?
Thank you so much for your help and looking forward to hearing back from you.
Jean
Posted on 08-10-2021 08:51 AM
Hi @jeanviales You mentioned that you created a Smart Computer Group from the EA. Can you explain what string you're entering for that? Because the EA I posted prints back a list of account names it finds that have local admin rights. If each Mac has a different account with admin rights, I'm not sure how easy it will be to use that for building a proper Smart Group.
Also, you should confirm that Macs are reporting in new inventory since the time the EA was enabled, because they are inventory collection dependent. Until a Mac reports in, it won't show a value for a newly added Extension Attribute.
Posted on 08-10-2021 02:00 PM
Hey there! Thanks a lot for getting back to me on this!
That part about "inventory collection dependent" makes a lot of sense because it went from only displaying one to now displaying 61 so far. What I did was create a SCG using your EA script as the criteria with the operator "not like" with a value of "blank". So that it would show me the machines with a local account other than the admin local account.
How exactly do you utilize yours, if you don't mind me asking?
Thanks again!
Posted on 05-05-2021 11:36 AM
Thank you @mm2270 , will try.
FWIW, we are using a script that has the following in the header, so thought to ping you:
#!/bin/sh# Script will show all user accounts, if they are local or domain users, and if they have standard or admin privileges
version 1.0
by Mike (mm2270 on Jamf Nataion) May 2015
Posted on 05-05-2021 11:46 AM
Hmmm. I have implemented the script and adjusted for our two local admin accounts to ignore ("known_admins="Forescout|macadmin"), but the search returns 0 machines, when there should be at least a few false positives (our Admins' machines, for example, which have local admin on them).
Shouldn't my search look like the following?
Posted on 05-05-2021 12:26 PM
@thellum Can you possibly post the entire script you're using?
Edit: Never mind. I can see from what you posted now that you're using my script I just posted above.
If you look at it you'll see that yes and no are nowhere output in the script. That's the issue. My EA reports on local admin account names, not a yes or no.
If this helps, I also have the following EA, which reports a number for local accounts found. I set this as an integer EA and can build a Smart Group for any Macs showing an admin account number above 0.
#!/bin/sh
## A list of the known local admins to be excluded
known_admins="ITAdmin|admin"
## Initialize array
admin_list=()
for username in $(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 500 {print $1}' | egrep -v "${known_admins}"); do
if [[ $(/usr/sbin/dseditgroup -o checkmember -m "$username" admin | grep "^yes") ]]; then
## Any reported accounts are added to the array list
admin_list+=("${username}")
fi
done
## Prints the array's list contents
echo "<result>${#admin_list[@]}</result>"
I don't have a copy of that one I made in front of me, so I'd need to see what the expected output of the script is or should be. It may be designed to list any admin accounts rather than send back a "yes" or "no".
The other possibility from what I recall of that script is that you have to change your Operator to like
instead of is
. "Is" is exact, meaning if any part of the output from the EA or other criteria doesn't match what you enter, it won't end up in the results. Like is more forgiving in that respect so it may show results by changing it to that.
Posted on 05-05-2021 02:06 PM
Thank you for the clarification @mm2270 .
I'll work on this some more, but I do appreciate your assistance.
03-30-2022 04:12 AM - edited 03-30-2022 04:25 AM
Hi there,
I have managed to get the EA to find the local accounts with admin right with the script @mm2270 has said above. The EA works fine but when I try to do a saved search to list the user in a list to export a report?