Anyone have any insight into how to detect the users on Mac’s?
On the Windows systems, a query of (Names of Local Users) will return the local user accounts. On a Mac, it returns nothing, even though there is documentation indicating that it SHOULD return the users. (aka v8.1 Inspector Documentation PDF).
We’re able to work around the ‘list the users’ case, but we are actually interested in which users have Administrator rights on the endpoints.
That query does work. It uses Open Directory to get the names. I just did it right now and while you get a bit too much info ( many names starting with ‘_’ ) you do get the names.
How did you try it? It may require QnA running as sudo to get the information.
Also, I added the phrase “names of local users” to an Analysis and got < undefined > back for ALL our Mac systems. We don’t currently use OpenDirectory.
which is a synonym on the Mac right now to local users and am getting replies back so this is strange if you get nothing. I’m adding the local users variant but it should be the same result
I have been using this to find who has local admin rights.
Will this catch everyone with root on OSX? Anything I am missing?
(concatenations "; " of strings of values of arrays of values of entries whose(key of it = “users”) of dictionaries of files “/var/db/dslocal/nodes/Default/groups/admin.plist”)