3 Replies Latest reply on May 19, 2015 9:00 AM by EMiranda

    Finding accounts with admin rights with Mac Agent?

    EMiranda Expert

      is it possible to find accounts with administrator rights on MAC machines in LANDesk? I know you can do this on the Windows side, but have not found a way to do on MACs or any guidance on the best possible way to report all my accounts out in my environment with administrator rights.

       

      Thanks,

       

      LANDesk Version 9.6

        • 1. Re: Finding accounts with admin rights with Mac Agent?
          Peter Massa Expert

          EMiranda,

           

          Take a look at my blog post here: Include Local Users and Groups in your OS X Inventories

           

          Those should gather the information you are looking for.

           

          If you only want group information added and not users simply comment out whichever one you don't want at the end of the script where it says:

           

          userDetails

          groupDetails

           

          Note: You will have to whitelist this data as it comes into your inventory otherwise it will not show up in your inventory data.  I have found that userDetails creates a lot more entries than groupDetails.

           

          Note: You could also alter the script to only gather the Administrators group.

           

          Peter

          1 of 1 people found this helpful
          • 2. Re: Finding accounts with admin rights with Mac Agent?
            csoto Specialist

            Hi, we have a similar requirement to identify users with admin rights. I created the following script such that it adds a simple Custom Data entry that lists the users in the "admin" group. It also shows if they are local or AD-based (as we use Active Directory for authentication).

             

            #!/bin/bash

             

            # ldadminusers -- finds all local or domain users with administrator privileges and adds

            #                 them to LANDesk Management Suite Custom Data. It also indicates whether

            #                 each user is an Active Directory or local user.

            #

            # SYNOPSIS

            #   ldadminusers

            #

            # REVERENCES

            # http://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x

            # https://community.landesk.com/support/docs/DOC-9232

            # https://jamfnation.jamfsoftware.com/discussion.html?id=10179

            #

            # Requires OS X 10.5 or later

             

            # Plist variables

            plistFile="/Library/Application Support/LANDesk/data/ldscan.core.data"

             

            # Check every user

            for each_username in `dscl . -list /Users`

              do

              if [[ `dsmemberutil checkmembership -U "$each_username" -G "admin"` == *"is a member"* ]]

              then

              if [[ `dscl . read /Users/$each_username OriginalNodeName 2>/dev/null` == *"Active Directory"* ]]

              then

              domain="AD"

              else

              domain="local"

              fi

              adminusers+="$each_username:$domain "

              fi

              done

             

            echo "Adding ${adminusers}"

             

            # Write the data to the LANDesk plist

            /usr/bin/defaults write "${plistFile}" "Custom Data - Mac - Admin Users" "${adminusers}"

             

            # eof

            1 of 1 people found this helpful
            • 3. Re: Finding accounts with admin rights with Mac Agent?
              EMiranda Expert

              Thanks, Im going to try these scripts out! Mac is new to me so this is a new world for me, but thanks for the responses!