Help

Local Admin account with ID < 500 Casper Imaging issue

Go to solution
endor-moon
Contributor II

Posted on ‎07-21-2015 08:13 AM

I've been seeing an issue with Casper Imaging. As part of a nuke and pave imaging workflow, I created a package from the app CreateUserPkg that creates my primary admin account. I was using ID=499. However, on first boot after Casper Imaging I kept getting a dialog box stating "OS X needs to repair your Library to run applications. Type your password to alow this." I would find the home directory was missing important folders such as Desktop, Pictures, Music, Movies and what there was of the home directory had incorrect permissions. I would end up booting in single-user mode, mounting the file system for writing and deleting the home directory to force a clean creation on next login after rebooting.

After changing the account ID to 501, the first "normal" ID in OS X, all is well. The only thing I modified in the admin account creation package was the account ID. The app chose a new UUID, of course, and I didn't bother to make it the same as it doesn't matter.

Anyone else seeing this problem? The OS I am imaging with is 10.9.5 on a Mac Pro 2013 and I am using Casper 9.73.

It has become such a pain to hide the admin account that I don't bother anymore. Just wanted to document the problem in case anyone else has come across it.

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
McLeanSchool
New Contributor III

Posted on ‎07-21-2015 08:39 AM

We have a thin imaging setup that simply installs the OS, binds the computer to AD, and creates a management account with a local admin account on the machine. All configurations and packages are then downloaded on the first check-in. Here is a pic of our latest configuration. Just make sure the check the following boxes, and it will create the local admin account and hide it for you.
58a83d855a4b4f4c996d8e09eedfca86

View solution in original post

0 Kudos

Go to solution
Josh_Smith
Contributor III

Posted on ‎07-21-2015 11:18 AM

I'm using CreateUserPkg with 10.8, 10.9, and 10.10 in Casper Imaging configurations and it works flawlessly. (thanks @MagerValp !! )I've been using it with 9.63 and 9.72. I just tried it with Imaging app version 9.73 and a 9.63 JSS and it worked as expected.

That message sounds like a permissions issue to me....are there any DMGs in your configuration using FEU? I've seen similar issues in the past. To troubleshoot that issue I would:

  1. Image a machine
  2. Before anyone has logged in, boot it into target disk mode
  3. ls -al the Users directory on the TDM machine
  4. If there is a local admin directory already there then review all of the files in it, make note of their permissions/ownership, and fix the DMGs that put them there.

I let Casper Imaging create the JSS management account (which the techs don't know the password for) and use CreateUserPkg to create a second local admin account that the techs can use. (One of the benefits: The secondary local admin account doesn't have SSH access, so techs can't ssh in to a box anonymously with a shared account. They can SSH in with their AD account which can be logged/audited.)

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
McLeanSchool
New Contributor III

Posted on ‎07-21-2015 08:39 AM

We have a thin imaging setup that simply installs the OS, binds the computer to AD, and creates a management account with a local admin account on the machine. All configurations and packages are then downloaded on the first check-in. Here is a pic of our latest configuration. Just make sure the check the following boxes, and it will create the local admin account and hide it for you.
58a83d855a4b4f4c996d8e09eedfca86

0 Kudos

Go to solution
donmontalvo
Esteemed Contributor III

Posted on ‎07-21-2015 08:58 AM

Agreed with @McLeanSchool, if JSS offers a function, I'd rather use it than rely on a third party solution.

I'm a HUGE fan of Per Olofsson - AutoDMG is to die for - but CreateUserPkg doesn't seem to be actively developed anymore. Last update was in November 2013 (after 10.9 was released), probably not Yosemite aware.

CreateUserPkg on Github
CreateUserPkg at the Mac App Store

--
https://donmontalvo.com
0 Kudos

Go to solution
endor-moon
Contributor II

Posted on ‎07-21-2015 10:33 AM

Thanks for the responses. I'm still deploying OS X 10.9.5 for now. I like that CreateUserPkg lets me do a custom icon for my admin user but I suppose that isn't a big deal.

0 Kudos

Go to solution
Josh_Smith
Contributor III

Posted on ‎07-21-2015 11:18 AM

I'm using CreateUserPkg with 10.8, 10.9, and 10.10 in Casper Imaging configurations and it works flawlessly. (thanks @MagerValp !! )I've been using it with 9.63 and 9.72. I just tried it with Imaging app version 9.73 and a 9.63 JSS and it worked as expected.

That message sounds like a permissions issue to me....are there any DMGs in your configuration using FEU? I've seen similar issues in the past. To troubleshoot that issue I would:

  1. Image a machine
  2. Before anyone has logged in, boot it into target disk mode
  3. ls -al the Users directory on the TDM machine
  4. If there is a local admin directory already there then review all of the files in it, make note of their permissions/ownership, and fix the DMGs that put them there.

I let Casper Imaging create the JSS management account (which the techs don't know the password for) and use CreateUserPkg to create a second local admin account that the techs can use. (One of the benefits: The secondary local admin account doesn't have SSH access, so techs can't ssh in to a box anonymously with a shared account. They can SSH in with their AD account which can be logged/audited.)

0 Kudos

Go to solution
endor-moon
Contributor II

Posted on ‎08-25-2015 11:27 AM

Yes, I removed everything that was FEU as I was getting a Keychain problem with those. Not sure which package file did the damage but I'm proceeding very carefully and I'm finding accounts created with CreateUserPkg are working just fine, although now for most things I use Casper's functionality. Still imaging my personal laptop that way and it works fine.

0 Kudos