- Jamf Nation Community
- Products
- Jamf Pro
- Re: Reporting on local Administrator accounts
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-29-2021 08:31 AM
I've been asked to report on how many Macs enrolled into our on-premise Jamf Pro instance (currently ~350) have local administrator accounts set, and when they were last logged into.
Can anyone advise how best to go about this? Could this be done via an Extension Attribute?
Solved! Go to Solution.
Reply
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-26-2021 06:59 AM
For those interested, I ended up using the log command with the predicate option to do this.
These resources proved very useful:
https://stackoverflow.com/questions/380172/reading-syslog-output-on-a-mac
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-29-2021 02:26 PM
An EA is the "simple" way if you want to report on it regularly. You can check it for any individual machine by looking at the computer record, at "Local Accounts" on the left-hand side, and then looking for the admin column, but for an EA, here is what we use: (note, we normally create our own local admins with UID under 500 to omit them)
#!/bin/bash
# Script to detect if a computer has a local admin account on it with an UID of above 500
# Initialize array
list=()
# generate user list of users with UID greater than 500
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
# Any reported accounts are added to the array list
list+=("${username}")
fi
done
# Prints the array's list contents
echo "<result>${list[@]}</result>"Here is an alternate version I've used previously, expanded a bit to let you list specific accounts to exclude:
#!/usr/bin/env -i /bin/bash
# Force the script to quit if any error encountered
set -e
# Initialize array variable to hold admin usernames
list=()
# For all users with a userID above 500 (aka: not hidden) check if they are an admin, if so, AND not a known administrative service account, add to list array
for username in $(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }'); do
if [[ $(/usr/bin/dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
if [[ "${username}" != 'YOURADMINUSER' ]] && [[ "${username}" != 'YOURADMINUSER' ]] && [[ "${username}" != 'YOURADMINUSER' ]] && [[ "${username}" != 'YOURADMINUSER' ]]; then
list+=("${username}")
fi
fi
done
# Print all items in the list array
/bin/echo "<result>${list[@]}</result>"Once implemented, just set up an Advanced Computer Search with the EA selected in the "Display" tab to generate your report. If using the 2nd approach, you can also set up a smart group to gather all machines that have anything outside of the "expected" result.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-01-2021 02:18 PM
@T.Armstrong Thanks, that is most useful!
Can anyone advise how I can go about reporting on any time a local administrator account is used? I know I can use the 'last' command to see the last time the account was logged into, but I could do with knowing when a user has used the account non-interactively.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-26-2021 06:59 AM
For those interested, I ended up using the log command with the predicate option to do this.
These resources proved very useful:
https://stackoverflow.com/questions/380172/reading-syslog-output-on-a-mac
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2022 06:07 AM - edited 04-07-2022 06:08 AM
@T_Armstrong, Good day,
Thank you for sharing your scripts. Question about your post.
"Once implemented, just set up an Advanced Computer Search with the EA selected in the "Display" tab to generate your report. If using the 2nd approach, you can also set up a smart group to gather all machines that have anything outside of the "expected" result."
I do not do any Advanced Computer searches using scripts, how exactly do I point to your script in there so that it can be used to collect that data? By the way, I'm using the second script you have posted here.
I appreciate your time my friend!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-26-2022 12:13 PM
Sorry, only saw this now. You're not pointing to the script in any searches - the script is creating the data in an extension attribute captured in the inventory data. (last line of the script:
/bin/echo "<result>${list[@]}</result>"So in your search, you're just filtering on the EA data itself.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2022 09:52 AM
Hi,
I"m very new to JAMF and I can't seem to figure out what EA means?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2022 10:48 AM
"Extension Attribute"
Basically custom inventory data that you can collect during inventory.
