Reporting on local Administrator accounts

user-BqBTAgwquG
New Contributor II

I've been asked to report on how many Macs enrolled into our on-premise Jamf Pro instance (currently ~350) have local administrator accounts set, and when they were last logged into.

Can anyone advise how best to go about this? Could this be done via an Extension Attribute?

1 ACCEPTED SOLUTION

For those interested, I ended up using the log command with the predicate option to do this.

These resources proved very useful:

https://stackoverflow.com/questions/380172/reading-syslog-output-on-a-mac

https://www.dssw.co.uk/reference/log.html

View solution in original post

3 REPLIES 3

T_Armstrong
Contributor

An EA is the "simple" way if you want to report on it regularly. You can check it for any individual machine by looking at the computer record, at "Local Accounts" on the left-hand side, and then looking for the admin column, but for an EA, here is what we use: (note, we normally create our own local admins with UID under 500 to omit them)

#!/bin/bash

# Script to detect if a computer has a local admin account on it with an UID of above 500

# Initialize array

list=()


# generate user list of users with UID greater than 500

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do

# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)

    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        # Any reported accounts are added to the array list
        list+=("${username}")
    fi
done

# Prints the array's list contents

echo "<result>${list[@]}</result>"

Here is an alternate version I've used previously, expanded a bit to let you list specific accounts to exclude:

#!/usr/bin/env -i /bin/bash

# Force the script to quit if any error encountered
set -e

# Initialize array variable to hold admin usernames
list=()

# For all users with a userID above 500 (aka: not hidden) check if they are an admin, if so, AND not a known administrative service account, add to list array
for username in $(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }'); do
    if [[ $(/usr/bin/dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        if [[ "${username}" != 'YOURADMINUSER' ]] && [[ "${username}" != 'YOURADMINUSER' ]] && [[ "${username}" != 'YOURADMINUSER' ]] && [[ "${username}" != 'YOURADMINUSER' ]]; then
                list+=("${username}")
        fi
    fi
done

# Print all items in the list array
/bin/echo "<result>${list[@]}</result>"

Once implemented, just set up an Advanced Computer Search with the EA selected in the "Display" tab to generate your report. If using the 2nd approach, you can also set up a smart group to gather all machines that have anything outside of the "expected" result.

user-BqBTAgwquG
New Contributor II

@T.Armstrong Thanks, that is most useful!

Can anyone advise how I can go about reporting on any time a local administrator account is used? I know I can use the 'last' command to see the last time the account was logged into, but I could do with knowing when a user has used the account non-interactively.

For those interested, I ended up using the log command with the predicate option to do this.

These resources proved very useful:

https://stackoverflow.com/questions/380172/reading-syslog-output-on-a-mac

https://www.dssw.co.uk/reference/log.html

View solution in original post