I'm the process of migrating the lab configurations I inherited so that students are not using admin accounts. Does anyone know of a method where I could configure a smart group that could contain a listing of computer systems with users logged into them with admin privileges so that I could then have that show up on my Dashboard for easy reference?
Running 9.32
+27Well, yes in fact. Have a similar SMART group for different purposes. Here's what I do.
•) My administrative account for the JSS is "admin", this is important.
•) My students machines are all in easily identifiable 'departments' In my case they are called:
student
student-loaner
Now, I use the following extension attribute found somewhere here on JAMFNation (Sorry for lacking attribution), to determine which accounts on any given unit are administrative users:
#!/bin/bash
# Script to detect if a computer has a local admin account on it with an UID of above 500
# Initialize array
list=()
# generate user list of users with UID greater than 500
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
# Any reported accounts are added to the array list
list+=("${username}")
fi
done
# Prints the array's list contents
echo "<result>${list[@]}</result>"I've called this Extension Attribute "Admin Users"... Cryptic I know.
So my SMART criteria are as follows:
• Extension Attribute: "Admin Users" IS NOT "admin" -This will show any unit who has an account additional to my admin user. Afterall, if the only adminsitrative account was "admin" then that would be the only output. Anything else trips the policy and qualifies.
---AND---
(
Department IS "Student"
---OR---
Department IS "Student-Loaner"
)
Thanks Chris_Hafner - this wasn't exactly what I had set out to have but might be more useful as I think about it. I just now ran it locally and noticed that it didn't pick up active directory accounts which will be a problem. I hadn't realized that AD accounts might be treated differently for something like this or I would have mentioned we were using AD to begin with.
Regardless this looks like it could be good for checking if any local admin accounts are created.
+27Check out this thread. There are several options for EA
https://jamfnation.jamfsoftware.com/discussion.html?id=2411
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.