script to detect if logged in user is mobile cached account

tkimpton
Valued Contributor II

Hi guys

i was wondering if someone can help me.

Im trying to run a script if the currently logged in user is a cached mobile account?

Has anyone got any ideas?

Thanks

4 REPLIES 4

mm2270
Legendary Contributor III

Two ways. Check the UID, which should be above 1000 (typically much higher than that), although its been mentioned on other threads that the UID can be spoofed pretty easily, so its not an absolute way. The better way, as was mentioned was to check for the OriginalAuthenticationAuthority key as part of the account's info from dscl. That key does not exist in local accounts, but will with cached AD mobile ones.

So...

#!/bin/sh

loggedInUser=$(ls -l /dev/console | awk '{print $3}')

if [[ $(dscl . read /Users/${loggedInUser} OriginalAuthenticationAuthority 2>/dev/null) ]]; then
    echo "$loggedInUser is an AD mobile account"
else
    echo "$loggedInUser is a local account"
fi

Should get you what you're looking for.

tkimpton
Valued Contributor II

thanks very much for your help

stev0232
New Contributor

This works a treat, thanks

tlarkin
Honored Contributor

@mm2270

Just wanted to add one thing. Anyone with sudo rights and dscl can modify any attribute. So, you can spoof almost anything in there. You might want to look at actually checking if the computer is bound to AD (or LDAP), then take that users UID and see if it is in AD and not look at the local dscl entry.

I remember an old thread where the IT admin was claiming users were changing their UIDs to over 1000 on local accounts. I did some testing and I was able to use the -append switch in dscl and was able to basically spoof any attribute I wanted to in the local user record.