Jamf Nation Community

Curious; doesn't seem to work as expected for me, unless I'm not understanding the approach. I've got two local admins on this box and neither is being returned (I didn't add them to the exclusion list).

I've taken a different approach to this:
Note: Perl!

#!/usr/bin/perl -w

$adminUsers = `dscl . -read /Groups/admin GroupMembership | sed 's/.*abuiltinadmin//;s/.*someotheradmin//;s/^[ 	]*//;s/ /, /g'`;
chomp $adminUsers;

if (length $adminUsers==0){
   print "<result>No admins</result>";
   exit 0;
} else {
   $resultMessage = join('', '<result>', $adminUsers, '</result>');
   print $resultMessage;
   exit 0;
}

Note that it's also a comma-separated list, but you could modify that.

AH, I found your problem - any local administrative account with "admin" in the name will NOT be returned because you grep out 'admin'. Whoops!

Another route you could go would be to limit to accounts with UID over 500. In our case, our casper admin account is hidden (sub 500) so the ones we care about being admin are over 500.

That was the issue I had Jared. Problem with that is all our AD users have UID's over 1000 regardless.

Another route you could go would be to limit to accounts with UID over 500. In our case, our casper admin account is hidden (sub 500) so the ones we care about being admin are over 500.

This is exactly what I did when I was a System Administrator using Casper at my last job. All local admin accounts were under UID 500. I had three of them. One was for Casper itself, which was deployed via quickadd, or at imaging time and was never used by anyone. The second one was for internal IT use, also hidden, and UID under 500. The last one was also under UID 500 and hidden but was used for any non IT worker that needed Admin rights. I used separate accounts because I wanted the ability to nuke them remotely if a password leaked, and not have it affect IT or Casper.

That was the issue I had Jared. Problem with that is all our AD users have UID's over 1000 regardless.

I have posted this script a ton of times on the mailing list back in the day and it is probably on the forums here, but this is how I handled admin detection for AD/OD accounts:

#!/bin/bash

# check for admin accounts

userList=$(dscl . list /Users UniqueID | awk '$2 > 1000 { print $1 }')

for u in ${userList} ; do

if [[ `dscl . read /Users/${u} GroupMembership | grep -c "admin"` == 1 ]]

then echo "<result>${u} is admin</result>"

else echo "no admin here"

fi

done

This was written I think for 10.6.x so please test this out. Hope this helps some of you.

-Tom

Sorry in my environment we don't have any default admins actually called admin but I guess you could add additional extended regex to differentiate.

Seeing some nice responses so that's awesome, mine was a very simple way that worked very well for me. :-)

Corrected original extension attribute:

groupmember=`dscl /Local/Default read /Groups/admin GroupMembership | tr ' ' '
' | grep -Ev 'root|change_for_your_default_admins_separated_by_pipes|GroupMembership:' | tr '
' ' '`
echo "<result>$groupmember</result>"

Removed the unneeded "admin" from the grep -Ev, it's best to add your admin's complete shortname for the most accurate results.

As this was a topic for us again - the following one works on High Sierra and Mojave:
(Note: add your default admins in the grep command)

#!/bin/sh

#reporting of (additional) local admins
#v1.0, Andreas Rumpl, 2018-09-26

#search for local admin users and exclude the predefined Service users
groupmember=`dscl /Local/Default read /Groups/admin GroupMembership | tr ' ' '
' | grep -Ev 'root|change_for_your_default_admins_separated_by_pipes|GroupMembership:' | tr '
' ' '`

#if there is an additional admin existing, report it
if [[ "$groupmember" != "" ]]; then
    echo "<result>$groupmember</result>"
else
    echo "<result>no local admin rights</result>"
fi

@AndreasRumpl @vadanx
I was tried in locally running the script but the Extension Attribute not working getting blank result only