Inventory: how to gather/display Local User account/admins info

carlo_anselmi
Contributor III

Hello, forgive me if this has already been discussed here...

I am trying to find a way to gather/show inventory information about users
and if they have admin rights.
There should only be a local admin user.

If I edit computers detail within the JSS, I can already see users/home
directories within "Local User Accounts" with Admin: "true" or "false".
How can I display all computers/existing users field at once within a
report?
I tried to add/edit an Extension Attributes Information but don't know how
to create it correctly.

Would you be so kind helping me?
Many thanks for your attention
Ciao
Carlo

11 REPLIES 11

tlarkin
Honored Contributor

Carlo,

I wrote a script for this to use extension attributes. You simply copy/paste the script, ensure it is executable and has proper ownership and toss it in Casper Admin. The script assumes that any local admin account you use for Casper or for internal IT use will have a UID of lower than 500. Not everyone uses this design so you may have to add your local IT account or what not if it has UID greater than 500. That shouldn't be a big deal if you know what accounts should have admin rights.

Then just scope your policy, let it run, and when you do extension attribute searches the results should show.

-Tom

carlo_anselmi
Contributor III

Hello Tom, thank you for the hint. I found your script.

I was hoping to use it to highlight a few troublesome machines where I am experiencing local admins losing their admin rights (random).

The script finds users but their UID is not relevant: despite my local admin is always 501, I have to rely to the value "Admin: true" or "false" within Local User Accounts in JSS to see if the admin user is an actual admin or not.

The handy thing is your script fails on machines where local admin is not, as it gives (DS Error: -14136 (eDSRecordNotFound) and therefore it's easy to see where problems are.

I have yet to find out what caused this problem, likely the update to 10.6.7 was not properly applied.
I did not have any luck in trying one of the many suggested fixes either and ended up reimaging clients (4-5 so far).
https://discussions.apple.com/thread/2809053?start=0&tstart=0

Many thanks again!
Ciao
Carlo

Da: Thomas Larkin <tlarki at kckps.org<mailto:tlarki at kckps.org>>
Data: Tue, 31 May 2011 08:51:42 -0500
A: Carlo Anselmi <carlo.anselmi at interpublic.com<mailto:carlo.anselmi at interpublic.com>>, List Casper <casper at list.jamfsoftware.com<mailto:casper at list.jamfsoftware.com>>
Oggetto: Re: [Casper] Inventory: how to gather/display Local User account/admins info

Carlo,

I wrote a script for this to use extension attributes. You simply copy/paste the script, ensure it is executable and has proper ownership and toss it in Casper Admin. The script assumes that any local admin account you use for Casper or for internal IT use will have a UID of lower than 500. Not everyone uses this design so you may have to add your local IT account or what not if it has UID greater than 500. That shouldn't be a big deal if you know what accounts should have admin rights.

Then just scope your policy, let it run, and when you do extension attribute searches the results should show.

-Tom

jeffrey_fesunof
New Contributor

Tom or Carlo can either of you post a link of where this script was written in JAMF Nation? Tom you have a lot of posts to sift through.

I'm also looking for a way to take the JAMF collected data about a local account's status on local Admin rights (Yes or No) so that I can somehow create a smart group about this.

tlarkin
Honored Contributor

Hey Jeffrey,

Here is a copy of the EA I have on my laptop. It only has logic to check if the current user has admin rights, and it only happens at recon.

#!/bin/bash

currentUser=$(ls -l /dev/console | awk '{ print $3 }')
checkAdmin=$(dseditgroup -o checkmember -m ${currentUser} admin | awk '/yes/ { print $1 }')

if [[ ${checkAdmin} == 'yes' ]]
  then echo "<result>has admin</result>"
fi

Then I would build a smart group based on the results of this EA. I could then scope policy to do whatever I needed, or get near real time reporting on it.

If you wanted to get all your user accounts checked for admin membership it would be a bit different logic in the script, and if you do go that route, any local IT account (and the management account) would have to be ignored or you may get false positives.

I hope this helps.

Thanks,
Tom

msierra
New Contributor

How would you modify the below to exclude the local admin account ?

#!/bin/bash currentUser=$(ls -l /dev/console | awk '{ print $3 }') checkAdmin=$(dseditgroup -o checkmember -m ${currentUser} admin | awk '/yes/ { print $1 }') if [[ ${checkAdmin} == 'yes' ]] then echo "<result>has admin</result>" fi

tlarkin
Honored Contributor

Hi @msierra,

You can add a grep -v pipe to that currentUser variable to always exclude it. You could also exclude certain UID ranges if your local admin accounts are under UID 500. So, the example would be like so:

#!/bin/bash

currentUser=$(ls -l /dev/console | awk '{ print $3 }' | grep -v 'local_admin_account')
checkAdmin=$(dseditgroup -o checkmember -m ${currentUser} admin | awk '/yes/ { print $1 }')

if [[ ${checkAdmin} == 'yes' ]]
then echo "<result>has admin</result>"
fi

Just change the local_admin_account string to the actual shortname of the local admin account. That should exclude it, and the comparison will return a blank value and not echo out the has admin string.

Hope this helps,
Tom

msierra
New Contributor

@tlarkin
Thank you for the response.

If i wanted to exclude multiple accounts, would I pipe another account? so it would look like...
Thanks again.

currentUser=$(ls -l /dev/console | awk '{ print $3 }' | grep -v 'local_admin_account' | grep - 'local_admin_account2')

Matt

mm2270
Legendary Contributor III

Or you could use:

grep -ve "admin_account1|admin_account2|admin_account3"

Or:

egrep -v "admin_account1|admin_account2|admin_account3"

The latter uses egrep which doesn't need the backslashes( ) between the regexes, but still needs the pipes ( | ).

tlarkin
Honored Contributor

I would do what @mm2270][/url does and have in the past, like this:

some unix commands | grep -v 'string1|string2|string3'

This will work, just note that double quotes will expand variables and reserved bash characters.

Thanks,
Tom

msierra
New Contributor

so theres a slight discrepency between the two examples.

| grep -v 'string1|string2|string3'

or is it

| grep -ve 'string1|string2|string3'

mm2270
Legendary Contributor III

@msierra - good catch! Its not strictly necessary to use the -e flag if using the | syntax to separate the strings. Just a habit of mine I guess. In short either one will work the same way. For the sake of efficiency, might as well just use grep -v 'string1|string2, etc. In my tests that works perfectly fine.