(imported topic written by rzm10291)
I’ve had a look at this thread: http://forum.bigfix.com/viewtopic.php?id=30 and some others on how to check for local admins on computers.
When I run this command in the recently downloaded Relevance Debugger (Q and A) for Mac:
Q: names of local users whose (admin privilege of it)
E: The operator “local users” is not defined.
The operator is not defined on Mac?
Any help is appreciated. TIA
Rusty
(imported comment written by jessewk)
There is no local users inspector on the mac. Try ‘names of users’. Unfortunately, I don’t see an obvious way to detect if the user is an admin or not. I’ll ask around.
(imported comment written by NoahSalzman)
If it turns out there is no Relevance way to do it, there is always the two-step Action+Relevance using the dscl command.
Mac command to list users with admin prvis
dscl . -read /Groups/admin
That may require Mac OS X 10.5 or higher.
(imported comment written by rzm10291)
Thanks all, I figured so.
I have this script which should collect the usernames of local users and tell me if anyone besides our local admins are in the admins group.
#!/bin/bash
LocalAdmins=sudo dscl . read /Groups/admin GroupMembership | sed 's/GroupMembership\:\ //g;s/root\ //g;s/etcadmin//g'
StripUsers=dscl . -list /users | grep -v \_ | sed "s/children//g;s/daemon//g;s/OURLOCALADMIN//g;s/nobody//g;s/root//g"
LocalUsers=echo $StripUsers
if [; then
defaults write /Library/ETC/BigFix/machine.admin Admin “None”
elif [; then
defaults write /Library/ETC/BigFix/machine.admin Admin “Yes”
fi
if [; then
defaults write /Library/ETC/BigFix/machine.admin Users “None”
else
defaults write /Library/ETC/BigFix/machine.admin Users “$LocalUsers”
fi
I then use a Analysis to collect the information in BES:
string “Admin” of dictionary of file “/Library/ETC/BigFix/machine.admin.plist”
and
string “Users” of dictionary of file “/Library/ETC/BigFix/machine.admin.plist”
This works on some machines, but not all. When I was testing it from the local machine, it worked without problem. However, when I run it from BES, it seems to create an empty file at “/Library/ETC/BigFix/machine.admin.plist”.
Any ideas?
I’ve tried adding sudo to the beginning of the commands, but I believe BES runs the scripts as root anyway…
TIA,
Rusty
(imported comment written by MattBoyd)
jessewk
There is no local users inspector on the mac. Try ‘names of users’. Unfortunately, I don’t see an obvious way to detect if the user is an admin or not. I’ll ask around.
I would like to request that these inspectors be implemented in the Mac client in the future, if technically feasible. It seems like something that ought to be included.