Posted on 05-13-2010 06:16 PM
We found out today that half of the workstations in one of the environments we support lack our hidden local admin account (let's say it's "jsmith"). We found the cause and fixed the problem. But we're left with several hundred Macs that need the jsmith account recreated. Was thinking of this approach...
Create a Smart Group to identify computers missing the jsmith account (set to include hidden accounts in search)
Scope a policy to the Smart Group that recreates the jsmith account...the script would include this command pulled from our QuickAdd package:
-------------- begin ----------------
#!/bin/sh
#
# Create hidden jsmith admin user account.
#
/usr/sbin/jamf createAccount -username 'jsmith' -realname 'jsmith'
-passhash 'xxxxxxxxxxpwdstringxxxxxxxxxx' -admin -hiddenUser
exit 0
-------------- end ----------------
Not thrilled at the idea of using Smart Groups (yet) since JSS isn't as beefy as we need it to be. But I wanted to bounce this off the group before we begin testing, to make sure we're doing this the easiest, most manageable way.
Thanks for any feedback!
Don
Posted on 05-13-2010 09:15 PM
Done exactly the same thing (since discovering that running SL client upgrade DVDs do not migrate hidden user accounts over from 10.5.8 systems, *sigh*)
On May 13, 2010, at 8:16 PM, Don Montalvo wrote:
Actually, I take it back, I just created the policy for all machines, those that had the hidden user just failed with a "user exists" error that I could ignore, so I didn't scope it down to just those machines missing the hidden admin user...
Posted on 05-14-2010 06:25 AM
I use the jamf binary to create two local hidden admin accounts via my post image script. One account is for ARD access and anyone who may need it and the second account is for internal IT use.
The only thing I do different is that I put their home folders in /private/var
Posted on 05-14-2010 06:38 AM
This is why I still choose to use old fashioned OS images, with the account
baked into it.
I do put the home directory in /private/var as well.
Craig E
Posted on 05-14-2010 07:04 AM
Ahhh, yes, I wasn't sure if the script would mangle things if the account already exists. Wasn't sure if there was a way to first check for the account (exit if exists; else create).
I can live with the error. :) Seems like a better route than using Smart Groups (something we're scaling back on until we upgrade the JSS hardware).
Thanks,
Don
Posted on 05-14-2010 07:16 AM
When I test my post image scripts I do so on a machine with an OS on it. If you try to create an account that already exists, the jamf binary will just exit with an error message that the account exists. It doesn't halt a script or hurt anything. Now you could loop it so that if it did exist it would just change the password instead.