Jamf Nation Community

donmontalvo · ‎04-19-2012

We've been providing reports for some of our analysts, and the Last User data is being questioned as it contains reboot, etc. These are mostly Wintel techs.

Is there a way to take the exisitng Extension Attribute and exclude any Last User criteria that isn't really a Last User? Of course I mean if reboot is the Last User, the Extension Attribute should be intelligent enough to show the second-to-Last-User. ;)

#!/bin/sh
lastUser=`/usr/bin/last -1 -t console | awk '{print $1}'`

if [ $lastUser == "wtmp" ]; then
echo "<result>No logins</result>"
else
echo "<result>$lastUser</result>"
fi

The Wintel techs are like "Why it this so difficult to do on a Mac?"

I'm like "Why are Wintel boxes so ugly?"

LOL

Don

--
https://donmontalvo.com

mm2270 · ‎04-19-2012

Deleted post

View solution in original post

mm2270 · ‎04-19-2012

Say what? I deleted my post, but I was labeled as the answer? LOL. Don, you OK? :)

View solution in original post

mm2270 · ‎04-19-2012

Deleted post

natkins · ‎04-19-2012

This isn't really helpful for your problem, but ask them why SYSTEM shows up in Last User on Windows boxes sometimes.

mm2270 · ‎04-19-2012

Say what? I deleted my post, but I was labeled as the answer? LOL. Don, you OK? :)

stibebu · ‎04-19-2012

So I couldn't duplicate the issue, but I did find a different way to grab the last user data possibly. Maybe this helps?

lastUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`

acdesigntech · ‎04-19-2012

silly windows techs....

This is what I use, feel free to adapt as necessary: MostLoggedInUser=last | cut -f 1 -d ' ' | sort | uniq -c | sort -nr | grep -v reboot | grep -v shutdown | grep -v agadmin | grep -v cleadmin | grep -v gat | awk '{print $2, $5;}' | awk '{print $0 ; exit(0); }'

echo "$MostLoggedInUser will be added to the username field in JAMF."

actually that's the most logged in user... however I find that to be more useful for our purposes

jamf recon -skipApps -skipFonts -skipPlugins -endUsername $MostLoggedInUser

I suppose you could grep -v -E "reboot|shutdown"

rockpapergoat · ‎04-19-2012

@don it's not difficult to do. you're just parsing text.

nessts · ‎04-19-2012

you can replace all those grep -v with one egrep -v reboot|shutdown|agadmin

donmontalvo · ‎04-19-2012

dupe

--
https://donmontalvo.com

donmontalvo · ‎04-19-2012

Say what? I deleted my post, but I was labeled as the answer? LOL. Don, you OK? :)

@mm2270 LOL...

@acdesigntech I'd love to try your script...can you post using the script formating so I capture the entire thing? Happy to post results.

Don

--
https://donmontalvo.com

bentoms · ‎04-19-2012

@ACDesignTech the recon skip verbs stopped working around v7.. :(

Feature Request to have them re-added: https://jamfnation.jamfsoftware.com/featureRequest.html?id=78

tlarkin · ‎04-19-2012

Hey Everyone,

A few tips for you all. These are methods I use to create lists of actual user accounts and skip users like nobody, root, and so forth. I do it by reading dscl and the UIDs and then making sure only actual UIDs that are actual users get output.

list of local users that include AD/OD users:

/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }'

list of local users when AD/OD should be excluded:

/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 && $2 < 1000 { print $1 }'

list of AD/OD users only:

/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 1000 { print $1 }'

You can take these methods and use them for looping through some logic to test if the last users was an actual real user. You could even create separate ones for local accounts only, or for all accounts, or AD/OD accounts only.

My methods though usually exclude any local admin account with a UID of below 500 to hide it from the Finder and System Preferences. Those accounts are typically used internally by IT and I usually ignore them.

Hope this helps some of you for creating scripts. Please post back what you build as I would be happy to see what you all come up with.

Thanks,
Tom

acdesigntech · ‎04-19-2012

I always have to shamelessly plug my site here :P http://acdesigntech.wordpress.com/2011/12/15/how-to-view-the-most-logged-in-user-on-mac-os-x/

However, syntax is as follows:

#!/bin/sh
MostLoggedInUser=`ac -p | sort -nk 2 | grep -v reboot | grep -v shutdown | awk '/total/{print x};{x=$1}'`
jamf recon -skipApps -skipFonts -skipPlugins -endUsername $MostLoggedInUser

OR

#!/bin/sh
MostLoggedInUser=`last | cut -f 1 -d ' ' | sort | uniq -c | sort -nr | grep -v reboot | grep -v shutdown | awk '{print $2, $5;}' | awk '{print $0 ; exit(0); }'`
jamf recon -skipApps -skipFonts -skipPlugins -endUsername $MostLoggedInUser

I wrote this before I started using regex fu, so you could totally condense this to "grep -v -E "reboot|shutdown|etc""

The ac method will give you the user with the longest log in time, the last metho will give you the most logged in user. I have this as a login script populating the username field right now, but you can easily convert this to an EA. Unfortunately I still get "root," "wtmp" and other nonsense, so I suppose you might want to add those as well. I'd rather just see a blank field for the username than some garbage output.

@bentoms I was wondering why recon was still taking so long even with the skip verbs included. Just never got around to investigating why. Thanks for the heads up! I "upped" the feature request since this is a super useful ability. IME anyway

Jamf Nation Community

"Last User"...now to exclude non-users like "reboot", etc.