Stop admin users from change name and accounts?

jolo
New Contributor

Hi
I am pretty new working with mac and now I have run into I problem. All my users are admin (don’t ask me why) and they are making my life hard by changing their computer names and creating local accounts. So, im working on a script that runs at login and checks if the local computer name match the one in active directory. I also want to check if the user account is a network account, either by checking if it’s a mobile account or if it’s a ad account. Can anyone put me on the track on how to solve this?

7 REPLIES 7

damienbarrett
Valued Contributor

I think you'll discover that this kind of thing is best handled by a well-written Acceptable Use Policy and end-user training. All of our students are admins and this is how we've been able to address this. Computer names can be enforced via JSS, so that if one changes, JSS can flip it back. And I have an Extension Attribute set to look for any extra accounts on machines. A simple weekly report shows me which students have created a second account (a violation of the AUP) and then the issue can be dealt with by the Administration.

We also spend a fair amount of time making sure our students know what's in our AUP. We have a "Driver's Manual" that the must read and then take a "Driver's Test" before they are allowed to have Administrator rights on their Macs. http://driversmanual.mka.org

tlarkin
Honored Contributor

This is a common question during Jumpstarts and I usually propose using a policy to set this. Under the advanced tab in a policy there is an option to Reset Computer Names via a check box. You could have a policy running every15 and ongoing to reset the computer name and it will reset the computer name to the one in the JSS inventory database.

As for the local user accounts, this is what I would recommend. Create a completely separate user account for all local Casper management. Hide it, and set a policy to randomize the password for that account every week or so. Then create a separate local account for IT management and usage and also hide it.

Hiding it will give it a UID of under 500. Then when you look at Network accounts like AD/OD and non mobile accounts they will always have a UID of over 1,000. Since your local accounts for IT usage are hidden they will have a UID of under 500. You can then build logical data off of that concept and check for any local user account in UID range 500 to 999. You will know those are accounts you did not create.

Then you can take action from there. I can give an example of what I have used in the past.

dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 1000 { print $1 }'

That will give you a list of all local accounts on the system with in that UID range (500-999). You can then take action on those accounts and say change their default shell to /bin/false and disable them, or use the dscl command to delete them, or simply flag them in smart groups based on extension attributes to report on it.

Hope this helps.

Thanks,
Tom

jolo
New Contributor

Thanks for the replays. I use jss to change back computernames but when computername is change om a machine it changes name in the inventory. If I use the Reset Computer Names policy, can I force some way it to use the original name and not the name that I see in the inventory?

bentoms
Release Candidate Programs Tester

You could also look @ using MCX to grey out the Sharing & Accounts preference panes.

That way even admins cannot change using the GUI.

jolo
New Contributor

Already grayed out Sharing & Accounts and blocked terminal but the users seems to change the name through terminal when thay are outside our network.

asd_alozano
New Contributor

Hi guys,

Has anyone come up with new solutions to this issue?
Would really appreciate an update.

Thanks.

Chris_Hafner
Valued Contributor II

Are they adding accounts for a good reason? Sorry, in my head I'm trying to figure out if there's a need not being met or if this is a behavioral HR type issue.