Help

Track Admin accounts

dpecht1221
New Contributor II

Posted on ‎10-10-2011 04:21 PM

I need a way to track all the admin accounts on our laptops. I would like this ability because I work for a school district and the students enjoy trying to compromise the admin password. One student has done this year and i found out because of the application logs. I know I can change the password remotely and have done so already this school year.

I would like to be alerted when a user goes from standard to admin or create a smart group with all accounts that are admins on the laptops in our JAMF inventory.

Thanks for the help,

Dave

0 Kudos
Reply
6 REPLIES 6

Not applicable

Posted on ‎10-11-2011 12:59 AM

Hi Dave,

you can use this EA:

dscl . -read /Groups/admin | grep GroupMembership | awk -F "[':']" '{print $2}' | sed 's/^.//' | tr " " " " | wc -l

This EA count the Admin users on each Machine and you can create a Smartgroup to display this list.

Best Regards

- Michael Rieder | HSD München | mrieder at hsd.de | www.hsd.de

0 Kudos
Reply

sean
Valued Contributor

Posted on ‎10-11-2011 04:25 AM

You don't need to grep for GroupMembership, you can call items directly with dscl and again I would use cut, less overhead than awk and now you don't need to remove leading whitespace:

dscl . -read /Groups/admin GroupMembership | cut -d " " -f 2- | tr " " " "

Sean

0 Kudos
Reply

Walter
New Contributor II

Posted on ‎10-11-2011 06:18 AM

$ dscl . -read /Groups/admin
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 8F548540-12BF-4E67-BE6E-9B06CCCEFCC4 5F7121F1-5B20-477C-821D-8D166B3307C1
GroupMembership: root walter wrowe casperservice
Password: *
PrimaryGroupID: 80
RealName: Administrators
RecordName: admin BUILTINAdministrators
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-32-544

$ dscl . -read /Groups/admin | awk '/GroupMembership/'
GroupMembership: root walter wrowe casperservice

$ dscl . -read /Groups/admin | awk '/GroupMembership/ { print NF-1; }'
4

$ dscl . -read /Groups/admin | awk '/GroupMembership/ { for (n=2;n<=NF;n++) { print $n; } }'
root
walter
wrowe
casperservice

The variable 'NF' in awk is a built-in variable that represents the number of fields in the record. Since the first field is always "GroupMembership:", you subtract one to get the number of users.

This will get you the count of admin users

#!/bin/bash
adminAccts=$(dscl . -read /Groups/admin | awk '/GroupMembership/ { print NF-1; }')
echo "<result>${adminAccts}</result>"

This will get you the list of admin users

#!/bin/bash
adminUsers=$(dscl . -read /Groups/admin | awk '/GroupMembership/ { for (n=2;n<=NF;n++) { print $n; } }')
echo "<result>${adminUsers}</result>"

Walter
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

0 Kudos
Reply

tlarkin
Honored Contributor

Posted on ‎10-11-2011 06:19 AM

If ran as a log in script via Casper $3 returns current user

dscl . read /Groups/admin GroupMembership | grep -c $3

if it equals 1 it is a member, if it equals 0 not a member

-Tom

0 Kudos
Reply

peterleeman
New Contributor

Posted on ‎01-26-2012 10:47 AM

Tom, thanks for this. I am unsure how to utilize this script in the workflow. I have the following (maybe I am missing something).

#!/bin/bash

dscl . read /Groups/admin GroupMembership | grep -c $3

exit 0

That is, once set up as a policy -> login script how do I further configure the policy to utilize "equals 1" to list the admin users in either an inventory report or smart group?

Thanks

0 Kudos
Reply

tlarkin
Honored Contributor

Posted on ‎01-26-2012 11:15 AM

something like this:

#!/bin/bash

if [[ `dscl . read /Groups/admin GroupMembership | grep -c $3` == 1 ]]

   then echo "$3 is an admin"
   else echo "$3 is not an admin"

fi

exit 0
0 Kudos
Reply