see if a user locally or mobile bound to AD with EA

Harrie
New Contributor III

Hi

Does anyone know an EA to see when a user is bound to AD locally or mobile?

thnx

7 REPLIES 7

mcrispin
Contributor II

Shamelessly stolen from Lisa Davies, append the user list to exclude any management accounts or missed hidden accounts.

#!/usr/bin/perl -w

my $userlist = `dscl . list /Users`;
chomp $userlist;

my @excludedusers = split(" ","root administrator daemon nobody _amavisd _appleevents _appowner _appserver _ard _assetcache _astris _atsserver _avbdeviced _calendar _ces _clamav _coreaudiod _coremediaiod _cvmsroot _cvs _cyrus _devdocs _devicemgr _displaypolicyd _distnote _dovecot _dovenull _dpaudio _eppc _ftp _gamecontrollerd _geod _iconservices _installassistant _installer _jabber _kadmin_admin _kadmin_changepw _krb_anonymous _krb_changepw _krb_kadmin _krb_kerberos _krb_krbtgt _krbfast _krbtgt _launchservicesd _lda _locationd _lp _mailman _mbsetupuser _mcxalr _mdnsresponder _mysql _netbios _netstatistics _networkd _nsurlsessiond _nsurlstoraged _ondemand _postfix _postgres _qtss _sandbox _screensaver _scsd _securityagent _serialnumberd _softwareupdate _spotlight _sshd _svn _taskgated _teamsserver _timezone _tokend _trustevaluationagent _unknown _update_sharing _usbmuxd _uucp _warmd _webauthserver _windowserver _www _wwwproxy _xserverdocs");

my @userslist = split("
", $userlist);
my @users;

my $result = "";

foreach my $u (@userslist) {

        my $match = 0;

        foreach my $e (@excludedusers) {

                if ("$u" eq "$e") {
                        $match = 1;
                }
        }

        if ($match == 0) {
                push(@users, $u);
        }

}

foreach (@users) {

        my $node = `dscl . -read /Users/$_ OriginalNodeName | grep -v "OriginalNodeName:"`;
        chomp $node;

        if ($node =~ /Active Directory/) {
                $result = $result . "
$_ $node";
        }

}

$result =~ s/^
+//;

if ($result =~ /^$/) {
        system "echo "<result>None</result>"";
} else {
        system "echo "<result>$result</result>"";
}

AJPinto
Honored Contributor III

I believe what you are looking for is the UID of the accounts. I forget all the ranges but the really high UID's are mobile accounts, or domain level accounts. It may be UID's over 1000 are mobile accounts but don't hold me to that. Just to mention in the computer record in JAMF, if you go to "Local User Accounts" the UID's are listed there. The high numbers are mobile accounts.

We have an EA that reads the 501 account which is the UID of our local account. I tweaked it to read the UID of the current user. I this could be adapted further with elif functions to give different outputs if the UID is too low to be a domain account or to just say domain or not domain rather then giving you the UID. I hope this helps get you started.

#!/bin/sh

#Get the current logged in user to console
CurrentUser=`stat -f%Su /dev/console`

UID=$(dscl . -read /Users/$CurrentUser UniqueID)
echo "<result>$UID</result>"

exit 0

Harrie
New Contributor III

@mcrispin a shamelessly thank you

Harrie
New Contributor III

@AJPinto Sorry for my late response it doesn't give me the result am looking for
I like to see if someone is bound local or mobile as a result

mm2270
Legendary Contributor III

@Harrie I'm not exactly sure what you mean by "bound local or mobile" A cached mobile account is a local account in the sense that it has a home on the internal disk, but it's authentication authority lies outside of the local domain, usually with your LDAP.

One method o see if an account is actually a cached mobile account from a directory service is to see if it has the OriginalAuthenticationAuthority key when using dscl to read the account. Example

dscl . read /Users/username OriginalAuthenticationAuthority

If you get something back that shows Kerberosv5 and some domain information, usually in the format of username@DOMAIN.COMPANY.COM or something, then the account comes from a directory service.
If it comes back blank, then it's a pure macOS local account.

Harrie
New Contributor III

@mm2270 Thats exactly what I mean, thnx
I tested it on my laptop, result is "no such key" I guess that's blank ;), no cached mobile account
now I can try to figure out to make an EA out of it

thnx

mm2270
Legendary Contributor III

Yeah, I forgot that dscl will return 'no such key' if it can't find the specified key in the account record, so it's not actually blank.
But you should be able to use that to craft an EA out of it. Maybe grep for something in the output that should always show up in the results for an AD mobile account that won't show up for a local one, for example.