How to find all the local users with admin right (or not)

Bernard_Huang
Contributor III

Hi all,

Would any of you have a method to find out via Casper JSS which local user has admin rights or not?

Usually, I would have to click on each computer within inventory, then select "Local User Accounts" , then I would find out if a local user has admin set to yes or no.

We are about to audit around 550 Macbooks, I don't want to click on each Macbook to find out.

Thanks in advance.

22 REPLIES 22

mm2270
Legendary Contributor III

Have you done any searches here yet? I ask because there are probably about 5 or 6 different threads here that discuss doing this, usually with the addition of a new Extension Attribute. If you haven't done so already, do some searches for these threads. I'm sure you'll pull them up.

Dinnerticketboy
New Contributor III

SQL Query:

SELECT b.computer_name AS 'Computer Name', username AS 'User Name', realname, admin AS 'Local Admin'
FROM jamfsoftware.user_receipts a INNER JOIN jamfsoftware.computers b ON a.computer_id = b.computer_id
ORDER BY b.computer_name, username;

KarmaIT
New Contributor

We use an Extended Attribute for this based on the following script (which I'm sure I found on Jamf), then just run a search when required

!/bin/bash

Script to detect if a computer has a local admin account on it with an UID of above 500

Initialize array

list=()

generate user list of users with UID greater than 500

for username in $(dscl . list /Users UniqueID | awk '$2 > 499 { print $1 }'); do

Checks to see which usernames are reported as being admins. The

check is running dsmemberutil's check membership and listing the

accounts that are being reported as admin users. Actual check is

for accounts that are NOT not an admin (i.e. not standard users.)

if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != not ]]; then

Any reported accounts are added to the array list

list+=("${username}")
fi
done

Prints the array's list contents

echo "result>${list[@]}</result"

And for a PC

computername = createobject("wscript.network").computername
set group = getobject("WinNT://" & computername & "/administrators,group")
s = ""
for each account in group.members
s = s & account.name & vbcrlf
next
WScript.Echo "<result>" & s & "</result>"

rickwhois
Contributor

Here's my take on it. I have an extension attribute which searches for members of admin group, and lists them... omitting the root & yourjamf management accounts.

#!/bin/bash
groupmember=$(dscl . -read Groups/admin GroupMembership | cut -c 18- | sed -E -e 's/(root|yourjamfmanagementaccount)//g')
echo "<result>$groupmember</result>"

exit 0

Then i have a smart group that checks this extension attribute for not like "blank". Enable the check for email notifications on group membership so i am notified when any changes occur.

jimmy-swings
Contributor II

Hey @Bernard.Huang ,

I threw this one together for you. Give it a whirl and tell me how you get on!

#!/bin/sh
local-admin-users=$(dscacheutil -q group -a name admin | grep "users" | sed -e 's/users: //g' -e 's/
oot //g' -e 's/your-admin-user-here //g' )
echo "<result>$local-admin-users</result>"

Chris_Hafner
Valued Contributor II

I've been using the same method that @KarmaIT mentioned. Actually, I've been using that exact EA so perhaps we got it from the same person! The good news is that it works great!

GabeShack
Valued Contributor III

@Chris_Hafner @KarmaIT I'm trying this out but the results are showing mobile AD accounts as well as admin accounts. Below is what I copied from the above EA. I'm sure this has something to do with the high numbers assigned to AD accounts so I may need to tweak the EA further.

#!/bin/bash
list=()
for username in $(dscl . list /Users UniqueID | awk '$2 > 499 { print $1 }'); do
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != not ]]; then
list+=("${username}")
fi
done
echo "<result>${list[@]}</result>"

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

NM,
Using @jaz 's EA and it seems to be doing the trick. (I'm not sure the EA likes the hyphens in local-admin-users so i just named this variable adminusers and it worked normally.
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

mm2270
Legendary Contributor III

@gshackney Change the dscl line to

dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 1000 { print $1 }'

That should grab only local users with UIDs between 501 and 999, which excludes cached AD mobile accounts.

Chris_Hafner
Valued Contributor II

See: @mm2270 is the MAN!

GabeShack
Valued Contributor III

Thanks @mm2270 !
Love jamfnation!
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

mani2care
Contributor

I was tried in locally running the script but the Extension Attribute not working getting blank result only

thellum
New Contributor III

Based on reading the Check for Admin Accounts EA by @mm2270 , I see that the positive value return is "yes" in the script. However, when I use that I hit no returns. Caveat: we have two local admin accounts on every user machine - a local admin we use for silent installs among other things, and security widget for compliance. Ideally, I'd be able to adjust the EA script to account for these two accounts and not return them in results (otherwise the script returns all machines and not just those with Admin machines. I am not a scripter, per se, and wonder if anyone knows how to adjust the script to ignore our two local accounts?
3c89b5848f76497bba43f6a8217f51d0

mm2270
Legendary Contributor III

@thellum I'm not sure which script you're referring to, since this is an older thread, but if you're using the one from @gshackney, you can exclude any of your local admin accounts from being checked by including an egrep -v to it and adding the accounts in separated by vertical pipes, |
Here's the EA I'm using to get local admin accounts that excludes any of our known ones.

#!/bin/sh

## A list of the known local admins to be excluded
known_admins="ITAdmin|admin"

## Initialize array
admin_list=()

for username in $(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 500 {print $1}' | egrep -v "${known_admins}"); do
    if [[ $(/usr/sbin/dseditgroup -o checkmember -m "$username" admin | grep "^yes") ]]; then
    ## Any reported accounts are added to the array list
        admin_list+=("${username}")
    fi
done

## Prints the array's list contents
if [[ "${admin_list[@]}" != "" ]]; then
    echo "<result>${admin_list[@]}</result>"
else
    echo "<result>[ None ]</result>"
fi

Just change where it says "ITAdmin|admin" to include the couple of accounts you'd like to skip. Note the vertical pipe character between the 2 names like I mentioned.

jeanviales
New Contributor II

Hi @mm2270 ,

Hope you're doing well! QQ for you, I'm trying to use your script for the EA in an advanced computer search and also a Smart computer group, however, out of 130 devices only 1 local user account shows up and none of the rest come up at all. Any ideas on what I'm doing wrong? 

Screen Shot 2021-08-09 at 11.52.44.pngScreen Shot 2021-08-09 at 11.53.04.png

Thank you so much for your help and looking forward to hearing back from you.

Jean 

 

mm2270
Legendary Contributor III

Hi @jeanviales You mentioned that you created a Smart Computer Group from the EA. Can you explain what string you're entering for that? Because the EA I posted prints back a list of account names it finds that have local admin rights. If each Mac has a different account with admin rights, I'm not sure how easy it will be to use that for building a proper Smart Group.

Also, you should confirm that Macs are reporting in new inventory since the time the EA was enabled, because they are inventory collection dependent. Until a Mac reports in, it won't show a value for a newly added Extension Attribute.

jeanviales
New Contributor II

Hey there! Thanks a lot for getting back to me on this! 

That part about "inventory collection dependent" makes a lot of sense because it went from only displaying one to now displaying 61 so far. What I did was create a SCG using your EA script as the criteria with the operator "not like" with a value of "blank". So that it would show me the machines with a local account other than the admin local account.

How exactly do you utilize yours, if you don't mind me asking?

 

Thanks again!

thellum
New Contributor III

Thank you @mm2270 , will try.
FWIW, we are using a script that has the following in the header, so thought to ping you:

#!/bin/sh

# Script will show all user accounts, if they are local or domain users, and if they have standard or admin privileges

version 1.0

by Mike (mm2270 on Jamf Nataion) May 2015

thellum
New Contributor III

Hmmm. I have implemented the script and adjusted for our two local admin accounts to ignore ("known_admins="Forescout|macadmin"), but the search returns 0 machines, when there should be at least a few false positives (our Admins' machines, for example, which have local admin on them).
Shouldn't my search look like the following?
0706e0de41a6442db5f70c38929b5b4e

mm2270
Legendary Contributor III

@thellum Can you possibly post the entire script you're using? Edit: Never mind. I can see from what you posted now that you're using my script I just posted above.
If you look at it you'll see that yes and no are nowhere output in the script. That's the issue. My EA reports on local admin account names, not a yes or no.

If this helps, I also have the following EA, which reports a number for local accounts found. I set this as an integer EA and can build a Smart Group for any Macs showing an admin account number above 0.

#!/bin/sh


## A list of the known local admins to be excluded
known_admins="ITAdmin|admin"

## Initialize array
admin_list=()

for username in $(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 500 {print $1}' | egrep -v "${known_admins}"); do
    if [[ $(/usr/sbin/dseditgroup -o checkmember -m "$username" admin | grep "^yes") ]]; then
    ## Any reported accounts are added to the array list
        admin_list+=("${username}")
    fi
done

## Prints the array's list contents
echo "<result>${#admin_list[@]}</result>"

I don't have a copy of that one I made in front of me, so I'd need to see what the expected output of the script is or should be. It may be designed to list any admin accounts rather than send back a "yes" or "no".

The other possibility from what I recall of that script is that you have to change your Operator to like instead of is. "Is" is exact, meaning if any part of the output from the EA or other criteria doesn't match what you enter, it won't end up in the results. Like is more forgiving in that respect so it may show results by changing it to that.

thellum
New Contributor III

Thank you for the clarification @mm2270 .
I'll work on this some more, but I do appreciate your assistance.

Tildo
New Contributor III

Hi there,

I have managed to get the EA to find the local accounts with admin right with the script @mm2270 has said above. The EA works fine but when I try to do a saved search to list the user in a list to export  a report? 

local admin.JPG