Help

Extension Attribute for Checking AD vs. Local User

Go to solution
Philsto
New Contributor II

Posted on ‎06-09-2014 09:18 AM

I need an extension attribute to check if the logged in user (or any user) on a given machine is an AD user. We are trying to weed out users who are not authenticating against AD. We are using mobile accounts. Here is what I have at this point:

#!/bin/sh

result=$(ls -al /Users/ | grep Domain | awk '{print $4}')

if [ "$result" == "MYDOMAINDomain" ]; then
result="AD User"
else
result="Local User"
fi

echo "<result>$result</result>"

exit 0

However, I see there are some users who slipped through who have authenticated, probably because they are logged in as local users but have authenticated to AD in the past (?).

I could also test against users who are over 600 users by running:

dscl . -list /Users UniqueID

and filtering out users under 600, but am unclear on how to do that filtering.

In any scenario, there is probably a more graceful way of doing this, and am wondering if anyone has any suggestions?

Thanks.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
ctangora
Contributor III

Posted on ‎06-09-2014 11:51 AM

The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.

dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
mm2270
Legendary Contributor III

Posted on ‎06-09-2014 11:15 AM

There are a few threads here already with some sample scripts for EAs you can look at. Getting the Unique ID is one method, but as has been pointed out by some folks, its possible for a user to spoof that if they know how to and are so inclined.
Someone posted a good command to use to verify if the account is actually from a directory service and not local, despite any report of the UID. I'll have to find that thread and post back here with the link, because I don't remember now what was mentioned in the thread..

0 Kudos

Go to solution
ctangora
Contributor III

Posted on ‎06-09-2014 11:51 AM

The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.

dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"
0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎06-09-2014 11:53 AM

Yeah, I was just about to post a link to this thread, which you provided an answer for @ctangora
https://jamfnation.jamfsoftware.com/discussion.html?id=10179

0 Kudos

Go to solution
Philsto
New Contributor II

Posted on ‎06-09-2014 11:55 AM

Didn't catch that post, I will check it out, thanks much.

0 Kudos

Go to solution
ctangora
Contributor III

Posted on ‎06-09-2014 12:19 PM

It's tough to beat you to a post @mm2270.

0 Kudos

Go to solution
bentoms
Release Candidate Programs Tester

Posted on ‎06-09-2014 12:27 PM

I'd suggest grabbing the UniqueID & then looking it up against AD.

Part of the below script grabs the UniqueID of a users account on AD.

All you'd need to is get the logged users uniqueID & then look for the user on AD.

Should be pretty difficult for the users to get around.

http://macmule.com/2013/02/18/correct-ad-users-home-mobile-home-folder-permissions/

0 Kudos