Missing hidden admin account - best way to address

donmontalvo
Esteemed Contributor III

We found out today that half of the workstations in one of the environments we support lack our hidden local admin account (let's say it's "jsmith"). We found the cause and fixed the problem. But we're left with several hundred Macs that need the jsmith account recreated. Was thinking of this approach...

  1. Create a Smart Group to identify computers missing the jsmith account (set to include hidden accounts in search)

  2. Scope a policy to the Smart Group that recreates the jsmith account...the script would include this command pulled from our QuickAdd package:

-------------- begin ----------------
#!/bin/sh
#
# Create hidden jsmith admin user account.
#
/usr/sbin/jamf createAccount -username 'jsmith' -realname 'jsmith'
-passhash 'xxxxxxxxxxpwdstringxxxxxxxxxx' -admin -hiddenUser

exit 0
-------------- end ----------------

Not thrilled at the idea of using Smart Groups (yet) since JSS isn't as beefy as we need it to be. But I wanted to bounce this off the group before we begin testing, to make sure we're doing this the easiest, most manageable way.

Thanks for any feedback!

Don

--
https://donmontalvo.com
5 REPLIES 5

RobertHammen
Valued Contributor II

Done exactly the same thing (since discovering that running SL client upgrade DVDs do not migrate hidden user accounts over from 10.5.8 systems, *sigh*)
On May 13, 2010, at 8:16 PM, Don Montalvo wrote:

Actually, I take it back, I just created the policy for all machines, those that had the hidden user just failed with a "user exists" error that I could ignore, so I didn't scope it down to just those machines missing the hidden admin user...

tlarkin
Honored Contributor

I use the jamf binary to create two local hidden admin accounts via my post image script. One account is for ARD access and anyone who may need it and the second account is for internal IT use.

The only thing I do different is that I put their home folders in /private/var

ernstcs
Contributor III

This is why I still choose to use old fashioned OS images, with the account
baked into it.

I do put the home directory in /private/var as well.

Craig E

donmontalvo
Esteemed Contributor III

Ahhh, yes, I wasn't sure if the script would mangle things if the account already exists. Wasn't sure if there was a way to first check for the account (exit if exists; else create).

I can live with the error. :) Seems like a better route than using Smart Groups (something we're scaling back on until we upgrade the JSS hardware).

Thanks,
Don

--
https://donmontalvo.com

tlarkin
Honored Contributor

When I test my post image scripts I do so on a machine with an OS on it. If you try to create an account that already exists, the jamf binary will just exit with an error message that the account exists. It doesn't halt a script or hurt anything. Now you could loop it so that if it did exist it would just change the password instead.