Mobile and Local Accounts

Contributor II

I saw a discussion on slack yesterday about creating EA's to determine whether a user is local or mobile, and what may be the authoritative domain.

Here are two EA's to do this more accurately than by UID, by using the OriginalNodeName key in dscl.

  • List all mobile accounts and the domain
#!/usr/bin/perl -w

my $userlist = `dscl . list /Users`;
chomp $userlist;

my @excludedusers = split(" ","root daemon nobody _amavisd _appleevents _appowner _appserver _ard _assetcache _astris _atsserver _avbdeviced _calendar _ces _clamav _coreaudiod _coremediaiod _cvmsroot _cvs _cyrus _devdocs _devicemgr _displaypolicyd _distnote _dovecot _dovenull _dpaudio _eppc _ftp _gamecontrollerd _geod _iconservices _installassistant _installer _jabber _kadmin_admin _kadmin_changepw _krb_anonymous _krb_changepw _krb_kadmin _krb_kerberos _krb_krbtgt _krbfast _krbtgt _launchservicesd _lda _locationd _lp _mailman _mbsetupuser _mcxalr _mdnsresponder _mysql _netbios _netstatistics _networkd _nsurlsessiond _nsurlstoraged _ondemand _postfix _postgres _qtss _sandbox _screensaver _scsd _securityagent _serialnumberd _softwareupdate _spotlight _sshd _svn _taskgated _teamsserver _timezone _tokend _trustevaluationagent _unknown _update_sharing _usbmuxd _uucp _warmd _webauthserver _windowserver _www _wwwproxy _xserverdocs");

my @userslist = split("
", $userlist);
my @users;

my $result = "";

foreach my $u (@userslist) {

        my $match = 0;

        foreach my $e (@excludedusers) {

                if ("$u" eq "$e") {
                        $match = 1;

        if ($match == 0) {
                push(@users, $u);


foreach (@users) {

        my $node = `dscl . -read /Users/$_ OriginalNodeName | grep -v "OriginalNodeName:"`;
        chomp $node;

        if ($node =~ /Active Directory/) {
                $result = $result . "
$_ $node";


$result =~ s/^

if ($result =~ /^$/) {
        system "echo "<result>None</result>"";
} else {
        system "echo "<result>$result</result>"";
  • List account type of the current user
#!/usr/bin/perl -w

my $USER=`ls -l /dev/console | cut -d " " -f 4`;

chomp $USER;

if ($USER !~ /^a-zA-Z0-9]*$/) {

        $RESULT=`dscl -q /Local/Default -read Users/$USER OriginalNodeName | grep -v "OriginalNodeName" | cut -d " " -f 2-`;
        chomp $RESULT;

        if ($RESULT =~ /^$/) {

                printf "<result>Local user $RESULT $USER</result>

        } else {

                printf "<result>AD user $RESULT $USER</result>

} else {

        printf "<result>User not determined</result>

Contributor III

This is super helpful; thanks for posting these EAs!

New Contributor III

Hi, just came across this while searching. We have Macs that were bound to AD, but we are now removing them and enrolling into JAMF. However I am still seeing some of these Macs still bound to AD, and unfortunately, some accounts still authenticating to AD. I think this will work for me. Trying to create an EA that will show me which account are still authenticating to AD (mobile) and those that are strictly local. Will this EA work for me? I was trying to setup it up as:
Criteria: The EA above Operator: is Value: AD User
IDK, doesn't seem to be working for me. Thanks for any help.