Read out local administrators

BookMac
New Contributor III

Hello folks,
I know that there are already a few threads about reading out local admins. Either I didn't understand what was available or what I needed wasn't there. We would like to read out on all devices where local admins exist. with the exception of three admin users from IT. On the one hand, it would be if the admins were listed in the computer object under User and Location. and on the other hand, if we had a smartgroup where all computers are available with local admins (except for the three admins users from IT).

Cheers

2 REPLIES 2

mm2270
Legendary Contributor II

We do this with 2 Extension Attributes. They are almost identical EAs, but one simply prints out a list of admin account names found (if any) on the Mac and the other sends back an integer value of those same admin accounts. So for example then, we can create a Smart Computer Group using the integer EA to find any Mac with a value greater than 0 for that EA, since the script excludes our known local admin accounts from the count. Anything above 0 would naturally mean there is some unauthorized local admin account on the Mac.

 

Here is our EA to list out admin accounts:

#!/bin/sh

## A list of the known local admins to be excluded
known_admins="localadmin|Admin"

## Initialize array
admin_list=()

for username in $(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 500 {print $1}' | egrep -v "${known_admins}"); do
    if [[ $(/usr/sbin/dseditgroup -o checkmember -m "$username" admin | grep "^yes") ]]; then
    ## Any reported accounts are added to the array list
    	admin_list+=("${username}")
    fi
done

## Prints the array's list contents
if [[ "${admin_list[@]}" != "" ]]; then
	echo "<result>${admin_list[@]}</result>"
else
	echo "<result>[ None ]</result>"
fi

 

This is the EA that provides an integer count:

#!/bin/sh

## A list of the known local admins to be excluded
known_admins="localadmin|Admin"

## Initialize array
admin_list=()

for username in $(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 500 {print $1}' | egrep -v "${known_admins}"); do
    if [[ $(/usr/sbin/dseditgroup -o checkmember -m "$username" admin | grep "^yes") ]]; then
    ## Any reported accounts are added to the array list
    	admin_list+=("${username}")
    fi
done

## Prints the array's list contents
echo "<result>${#admin_list[@]}</result>"

I should note that these scripts only look at accounts with UIDs higher than 500, so 501 and up. If your users are technically savvy, they could create an admin account with a sub 501 UID which wouldn't be detected by these extension attributes. There's a way of course to craft this to account for those scenarios, but for us it's not really an issue. Our users don't have local admin rights to begin with. 

Once the 1st EA is present and reporting in, you can start pulling reports that have that EA field in the columns, so it will show any accounts it's found.

Hope the above helps.

BookMac
New Contributor III

Hi, thx for the input. I think i've got it.

I'm using this EA:

#!/usr/bin/env -i /bin/bash

# Force the script to quit if any error encountered
set -e

# Initialize array variable to hold admin usernames
list=()

# For all users with a userID above 500 (aka: not hidden) check if they are an admin, if so, AND not a known administrative service account, add to list array
for username in $(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }'); do
    if [[ $(/usr/bin/dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        if [[ "${username}" != 'admin' ]] && [[ "${username}" != 'admin' ]] && [[ "${username}" != 'admin' ]]; then
                list+=("${username}")
        fi
    fi
done

# Print all items in the list array
/bin/echo "<result>${list[@]}</result>"

 

and then a smart computer group with this ea and operator "is not" with nothing in the value field.