Looking to Modify an EA to Show ONLY Local Admins

Mhomar
Contributor

Hi Everyone. I could use some help here. I have looked all around JN (other sites as well) and I have not come across the answer.

I am currently using this EA to report Admin Accounts on a computer.

!/bin/sh

################################################################

# Extension Attribute checks to display Admin Accounts on the computer.

################################################################

AdminAccount=dscl /Local/Default -list /Users UniqueID | awk '$2 >= 500 { print $1 }' | grep -v "^_"

echo "<result> $AdminAccount </result>"

exit 0


It will report all accounts that have the local admin rights checked in the GUI. This includes mobile accounts that gain their admin rights via and AD Security group when the computer in connected to the corporate network. Can anyone assist me in modifying the script above to report "truly" local admins? In other words, only those accounts that gain their rights by manually checking the the box Allow user to administer this computer?

1 ACCEPTED SOLUTION

jack_bishop
New Contributor III

It doesn't look that one liner is returning a list of admins, but a list of accounts with UID above 500 and without a leading underscore character. The script in the discussion @m.donovan links will give you a list of admins, regardless of how they got to be in the admin group. If I read your question right, you want a list of accounts that are admin, but not in the 'Allowed admin groups' in the AD plugin. To do that you have to add a line nested in the if of @rtrouton's script (and the closing 'fi'):

if [[ $(dsmemberutil checkmembership -U "${username}" -G "YourADGroupName") = *not* ]]; then
 list+=("${username}")
fi

This will check your AD group membership and add it to the array if it is a not a member of "YourADGroupName".

View solution in original post

4 REPLIES 4

m_donovan
Contributor III

jack_bishop
New Contributor III

It doesn't look that one liner is returning a list of admins, but a list of accounts with UID above 500 and without a leading underscore character. The script in the discussion @m.donovan links will give you a list of admins, regardless of how they got to be in the admin group. If I read your question right, you want a list of accounts that are admin, but not in the 'Allowed admin groups' in the AD plugin. To do that you have to add a line nested in the if of @rtrouton's script (and the closing 'fi'):

if [[ $(dsmemberutil checkmembership -U "${username}" -G "YourADGroupName") = *not* ]]; then
 list+=("${username}")
fi

This will check your AD group membership and add it to the array if it is a not a member of "YourADGroupName".

sean
Valued Contributor

When you add a user by ticking the box, the username will be added to the list of admin users, so the below command will show that. Users that are admin by the security group won't show in this list.

dscl . read /Groups/admin GroupMembership | cut -d ":" -f 2

Check out the thread for further information and script ideas.

JN 19099

Mhomar
Contributor

Thanks Everyone!

@jack_bishop, Your script adjustment seemed to do the trick. A follow up question, how would I adjust the script example to accommodate 2 or more "AD group memberships"?