Auditing Admin Actions

mykool
New Contributor III

Does anyone know of a way to monitor admin actions. Like, when an admin account is created, or when you have to authenticate as an admin to do something?

1 REPLY 1

PaulHazelden
Valued Contributor
dscl . -read /Groups/admin GroupMembership | sed 's/^.*: //'

Will give you the members of the admin group on the Mac. You should be able to check it for changes. Then if a new admin account is created you can be informed of this change.

I use this to compare to a list of authorised admin accounts, and demote any not authorised back to a standard account. The script also emails me the relevant information, so that I can investigate.

I haven't investigated logging admin authentications.