Jamf Nation Community

Hello Tom, thank you for the hint. I found your script.

I was hoping to use it to highlight a few troublesome machines where I am experiencing local admins losing their admin rights (random).

The script finds users but their UID is not relevant: despite my local admin is always 501, I have to rely to the value "Admin: true" or "false" within Local User Accounts in JSS to see if the admin user is an actual admin or not.

The handy thing is your script fails on machines where local admin is not, as it gives (DS Error: -14136 (eDSRecordNotFound) and therefore it's easy to see where problems are.

I have yet to find out what caused this problem, likely the update to 10.6.7 was not properly applied.
I did not have any luck in trying one of the many suggested fixes either and ended up reimaging clients (4-5 so far).
https://discussions.apple.com/thread/2809053?start=0&tstart=0

Many thanks again!
Ciao
Carlo

Da: Thomas Larkin <tlarki at kckps.org<mailto:tlarki at kckps.org>>
Data: Tue, 31 May 2011 08:51:42 -0500
A: Carlo Anselmi <carlo.anselmi at interpublic.com<mailto:carlo.anselmi at interpublic.com>>, List Casper <casper at list.jamfsoftware.com<mailto:casper at list.jamfsoftware.com>>
Oggetto: Re: [Casper] Inventory: how to gather/display Local User account/admins info

Carlo,

I wrote a script for this to use extension attributes. You simply copy/paste the script, ensure it is executable and has proper ownership and toss it in Casper Admin. The script assumes that any local admin account you use for Casper or for internal IT use will have a UID of lower than 500. Not everyone uses this design so you may have to add your local IT account or what not if it has UID greater than 500. That shouldn't be a big deal if you know what accounts should have admin rights.

Then just scope your policy, let it run, and when you do extension attribute searches the results should show.

-Tom

Tom or Carlo can either of you post a link of where this script was written in JAMF Nation? Tom you have a lot of posts to sift through.

I'm also looking for a way to take the JAMF collected data about a local account's status on local Admin rights (Yes or No) so that I can somehow create a smart group about this.

Hey Jeffrey,

Here is a copy of the EA I have on my laptop. It only has logic to check if the current user has admin rights, and it only happens at recon.

#!/bin/bash

currentUser=$(ls -l /dev/console | awk '{ print $3 }')
checkAdmin=$(dseditgroup -o checkmember -m ${currentUser} admin | awk '/yes/ { print $1 }')

if [[ ${checkAdmin} == 'yes' ]]
  then echo "<result>has admin</result>"
fi

Then I would build a smart group based on the results of this EA. I could then scope policy to do whatever I needed, or get near real time reporting on it.

If you wanted to get all your user accounts checked for admin membership it would be a bit different logic in the script, and if you do go that route, any local IT account (and the management account) would have to be ignored or you may get false positives.

I hope this helps.

Thanks,
Tom

How would you modify the below to exclude the local admin account ?

#!/bin/bash currentUser=$(ls -l /dev/console | awk '{ print $3 }') checkAdmin=$(dseditgroup -o checkmember -m ${currentUser} admin | awk '/yes/ { print $1 }') if [[ ${checkAdmin} == 'yes' ]] then echo "<result>has admin</result>" fi

Hi @msierra,

You can add a grep -v pipe to that currentUser variable to always exclude it. You could also exclude certain UID ranges if your local admin accounts are under UID 500. So, the example would be like so:

#!/bin/bash

currentUser=$(ls -l /dev/console | awk '{ print $3 }' | grep -v 'local_admin_account')
checkAdmin=$(dseditgroup -o checkmember -m ${currentUser} admin | awk '/yes/ { print $1 }')

if [[ ${checkAdmin} == 'yes' ]]
then echo "<result>has admin</result>"
fi

Just change the local_admin_account string to the actual shortname of the local admin account. That should exclude it, and the comparison will return a blank value and not echo out the has admin string.

Hope this helps,
Tom

@tlarkin
Thank you for the response.

If i wanted to exclude multiple accounts, would I pipe another account? so it would look like...
Thanks again.

currentUser=$(ls -l /dev/console | awk '{ print $3 }' | grep -v 'local_admin_account' | grep - 'local_admin_account2')

Matt

Or you could use:

grep -ve "admin_account1|admin_account2|admin_account3"

Or:

egrep -v "admin_account1|admin_account2|admin_account3"

The latter uses egrep which doesn't need the backslashes( ) between the regexes, but still needs the pipes ( | ).

I would do what @mm2270][/url does and have in the past, like this:

some unix commands | grep -v 'string1|string2|string3'

This will work, just note that double quotes will expand variables and reserved bash characters.

Thanks,
Tom

so theres a slight discrepency between the two examples.

| grep -v 'string1|string2|string3'

or is it

| grep -ve 'string1|string2|string3'

@msierra - good catch! Its not strictly necessary to use the -e flag if using the | syntax to separate the strings. Just a habit of mine I guess. In short either one will work the same way. For the sake of efficiency, might as well just use grep -v 'string1|string2, etc. In my tests that works perfectly fine.