Posted on 07-23-2008 11:22 AM
Oh Wise ones,
I have a maintenance account on some machines and not others. I would like
to be able to create a smart group based on machines with this account, or
at least be able to do an inventory search for machines with the account.
Can this be done?
Paul Austin
Wachovia Desktop Services
704 427-0903
Posted on 07-23-2008 11:44 AM
Sure can...maybe.
Management Tab Smart Computer Groups New Smart Computer Group Give the group a name and check the box if you want notification of additions or removals to the group Click the + for Computer Info Select Platform In the field for Platform enter the word Mac Click Save Group
Since you can only create smart groups with managed machines this should give them all to you. In fact you don't even need to put in any criteria and you should get the same results.
If you are specifically saying that you have a maintenance account that is NOT the same as the account the JSS uses to manage the machines then I don't think there are any easy options built into the JSS to do that type of search in mass. Although local account information is stored in the inventory record for each managed machine.
Hopefully that's helpful. Otherwise...feel free to submit a feature request. =)
Craig Ernst
Systems Management & Configuration
----------------------------------
University of Wisconsin-Eau Claire
Learning & Technology Services
105 Garfield Ave
Eau Claire, WI 54701
Phone: (715) 836-3639
Fax: (715) 836-6001
----------------------------------
ernstcs at uwec.edu
Posted on 07-24-2008 06:06 AM
When I first read this I thought "sure you can do this", but looking at the options for Smart Groups, I don't think you can. In fact, I don't even think you can with ARD either. Finding the machines that have the user should be fairly easy, just use "dscl" along with "grep" to identify the machines that have the account. The difficult part comes in identifying the machines somehow with a tag that the JSS can use. If the JSS could use the ARD text fields to build smart groups on, then you could write a value to one of the text fields and grep for that in the Smart Group.
Sorry, hope that gives you some ideas, but I just don't see a way to grep the text fields.
Steve Wood
Director, Information Technology
swood at integerdallas.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6907 | C 940.312.2475
Posted on 07-24-2008 08:17 AM
Hi All,
As of The Casper Suite, version 5.13, there wasn't any smart group functionality that will do this, you could create a group of computers that either have or don't have a certain account. To do this, log into your JSS and click the Logs Tab. In the receipts section of that page, there is a link for "Local User Accounts." If you click this, it will display all of the local user accounts on managed machines with a button for "Computers with" (this account) or "Computers Without"(this account). A policy could then be scoped to this group to add the user account if that is what the goal is.
In The Casper Suite, version 6, this available as a criteria for Smart groups in the Receipts Info section of the Smart Group interface. If you haven't received your notification of version 6 being available, have no fear! You will receive the download link by the end of the week.
Tedd Herman / Product Specialist
-----------------------------------------------------
JAMF Software
1011 Washington Ave. S, Suite 350
Minneapolis, MN 55415
-----------------------------------------------------
US Support 612-216-1296
UK Support 020-3002-3907
Posted on 07-24-2008 08:54 AM
Well, would you look at that. I'm glad to be proven wrong. Apparently the receipts section didn't jump out at me to be the place to look for user accounts. Thanks, Tedd.
Craig
Posted on 07-29-2008 10:27 AM
The only thing I see this lacking is accounts that have a UID under 500. So, if you are hiding an admin account on the system, you won't be able to find that system. At least that's what it appears to me. Maybe I'm wrong. I utilize a hidden account as a second admin in case the first admin account is compromised in any way.
And, I notice that under Inventory Preferences on the Admin tab (Admin tab -> Inventory Options -> Inventory Preferences) we can map the ARD fields to fields in Casper. This would be perfect for putting a "flag" for this user account and then building your smart group on that. For example, if I utilized a shell script in a policy that would place something in one of the ARD fields to indicate that user was on the system, I could then build my smart group. The shell script might look something like this (assuming a user name of "ardadmin"):
#!/bin/bash
fieldText=dscl . list /Users | grep ardadmin
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/ Contents/Resources/kickstart -configure -computerinfo -set1 -1 $fieldText
Now, obviously there is no error checking in this, which could be thrown in, and probably should. If the search returns nothing then you get the standard kickstart info about what flags to set. I think this is fine and it won't affect the outcome.
Once that runs on the machines they should flow into your smart group that is searching for ardadmin in the ARD1 field.
Hope that helps.
Steve Wood
Director, Information Technology
swood at integerdallas.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6907 | C 940.312.2475
Posted on 07-29-2008 10:42 AM
I was poking around with dscl not too long ago and I had an issue with
finding hidden accounts. I can't even remember what I was trying to do,
but I do remember stumbling upon this code.
/usr/bin/dscl . list /Users UniqueID
the UniqueID option will search all users by their UID. You can pipe
out a grep or awk and maybe print out a range of Unique IDs, or if you
know the ID you can get it that way perhaps. So, if you set your hidden
admin account for UID 480 you could do this
/usr/bin/dscl . list /Users UniqueID 480
and it should list that user account. I hope this may help someone.
Thanks,
Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell: 913-449-7589
office: 913-627-0351
Posted on 07-29-2008 10:55 AM
err should have proof read that....
it should be like this
/usr/bin/dscl . list /Users UniqueID | grep 480
Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell: 913-449-7589
office: 913-627-0351