Help

Report If Last User is Admin rights

foreverkan
New Contributor II

Posted on ‎03-19-2024 11:54 PM

Hello,

 

I need a daily report. Our security team want a daily report like this. Does Last users has admin rights? How can i do that? I need your help.

 

Thank you. 

0 Kudos
3 REPLIES 3

dsavageED
Contributor III

Posted on ‎03-20-2024 02:58 AM

You could run a script once a day to try and work out if the logged in user or last user has admin rights... Something like the following will give you a skeleton, though it's far from perfect.

#!/bin/bash

# Logged in user
User_Name=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

if [ -z $User_Name ]; then
	# Mostly will return the last logged in user
	User_Name=$( last -1 | awk '{print $1}' )
fi

# Members of the local admin group
Who_is_Admin=`dscl . -read /Groups/admin | grep GroupMembership`

# Check if the name is in the group
Admin_Exists=`echo $Who_is_Admin | tr " " "\n" | grep $User_Name` 

if ! [ -z $Admin_Exists ]; then
	echo $User_Name was an admin
fi

 

foreverkan
New Contributor II
In response to dsavageED

Posted on ‎03-20-2024 03:58 AM

Commands are working but how can i report the answer?

0 Kudos

dsavageED
Contributor III

Posted on ‎03-20-2024 05:08 AM

So the best answer would probably be to send the info to a log server or a network share, in either case you would need to get the computer name within code. Jamf has extension attributes that could hold this info, but they are not updated once a day... If this information is being gathered for non-Macs you may want to put the info in the same place...