Help

List Macs with local users that have admin privelages when every Mac has a hidden admin account

Ryan_A_GDX
New Contributor III

Posted on ‎03-25-2020 07:44 AM

Hi, I am trying to create a list of Macs in which the end user's account has admin privelages. I have seen a number of scripts for Extension Attributes that will list all computers that have an account UID above 500 and admin rights.

The problem is all of our machines are configured with a hidden admin account during enrollment. So every EA i've tried when I create a smart group I get a list with something around 370 Macs (we are managing about 380).

I'm not sure if I am setting the criteria incorrectly or setting up the EA incorrectly or if I need a different script. Any help would be appreciated. Thank you

0 Kudos
Reply
6 REPLIES 6

atomczynski
Valued Contributor

Posted on ‎03-25-2020 08:14 AM

Here is how I've done it:

Settings>Computer Management>Extension Attributes

Display Name:
Local Admin Check

Description:
This Extension Attribute lists local administrators of the computer

Data Type:
String

Inventory Display:
Extension Attributes

Input Type:
Script

#!/bin/bash

####################
### March 9, 2020
### This Extension Attribute will list accounts with admin rights
### This Extension Attribute is used with a saved search to output list of mobile admin accounts
### for more information visit https://www.jamf.com/jamf-nation/feature-requests/2065/smart-group-for-local-users-marked-as-admin
####################

allLocalAccts=$(dscl . list /Users UniqueID | awk '$2>500 {print $1}')

while read userAcct; do
    if [[ $(dseditgroup -o checkmember -m $userAcct admin) =~ "yes" ]]; then
        Admin="Admin"
    else
        Admin="Regular"
    fi

    if [[ $(dscl . read /Users/$userAcct OriginalAuthenticationAuthority 2>/dev/null) != "" ]]; then
        Domain="Domain"
    else
        Domain="Local"
    fi

    userList+=("${userAcct}:   $Admin, $Domain")

done < <(echo "$allLocalAccts")

echo "<result>$(printf '%s
' "${userList[@]}")</result>"

I have a small number of devices and deal with them individually (total 12)
Perhaps you can use this as a new starting point?

0 Kudos
Reply

Ryan_A_GDX
New Contributor III

Posted on ‎03-25-2020 09:03 AM

@atomczynski I will give this a shot. To add some more info the hidden user account is named 'Admin' so I'm wondering will this attribute ignore that account?

0 Kudos
Reply

atomczynski
Valued Contributor

Posted on ‎03-25-2020 09:07 AM

I have a saved search with the following:
Criteria: Local Admin Check
Operator: like
Value: Admin, Domain

0 Kudos
Reply

Ryan_A_GDX
New Contributor III

Posted on ‎03-25-2020 11:46 AM

@atomczynski thank you for the input. I setup an extension attribute using the script you provided and I created a smart group, however i'm getting zero results. All user accounts are currently local (both the hidden admin, and the end user's account). The UIDs are generall admin = 501 and the user's account = 502, 503, etc.

0 Kudos
Reply

atomczynski
Valued Contributor

Posted on ‎03-25-2020 12:01 PM

What is your time window for check in and update inventory?

One suggestion would be on a computer you have access to create a mobile account with admin rights or change current mobile account so it has rights, then recon and policy and check the device object again.

0 Kudos
Reply

mani2care
Contributor

Posted on ‎05-26-2020 10:32 AM

hi @atomczynski I was tried in my machine getting result fine but where I'm putting to JAMF as Extension Attribute getting empty result is there any i need to do any missup.

0 Kudos
Reply