Report If Last User is Admin rights

foreverkan
New Contributor III

Hello,

 

I need a daily report. Our security team want a daily report like this. Does Last users has admin rights? How can i do that? I need your help.

 

Thank you. 

3 REPLIES 3

dsavageED
Contributor III

You could run a script once a day to try and work out if the logged in user or last user has admin rights... Something like the following will give you a skeleton, though it's far from perfect.

#!/bin/bash

# Logged in user
User_Name=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

if [ -z $User_Name ]; then
	# Mostly will return the last logged in user
	User_Name=$( last -1 | awk '{print $1}' )
fi

# Members of the local admin group
Who_is_Admin=`dscl . -read /Groups/admin | grep GroupMembership`

# Check if the name is in the group
Admin_Exists=`echo $Who_is_Admin | tr " " "\n" | grep $User_Name` 

if ! [ -z $Admin_Exists ]; then
	echo $User_Name was an admin
fi

 

foreverkan
New Contributor III

Commands are working but how can i report the answer?

dsavageED
Contributor III

So the best answer would probably be to send the info to a log server or a network share, in either case you would need to get the computer name within code. Jamf has extension attributes that could hold this info, but they are not updated once a day... If this information is being gathered for non-Macs you may want to put the info in the same place...