Users inspector on Macintosh systems

Anyone have any insight into how to detect the users on Mac’s?

On the Windows systems, a query of (Names of Local Users) will return the local user accounts. On a Mac, it returns nothing, even though there is documentation indicating that it SHOULD return the users. (aka v8.1 Inspector Documentation PDF).

We’re able to work around the ‘list the users’ case, but we are actually interested in which users have Administrator rights on the endpoints.

That query does work. It uses Open Directory to get the names. I just did it right now and while you get a bit too much info ( many names starting with ‘_’ ) you do get the names.

How did you try it? It may require QnA running as sudo to get the information.

Q: names of local users
A: _amavisd
A: _appleevents
A: _appowner
A: _appserver
A: _ard
A: _assetcache
A: _astris
A: _atsserver
A: _avbdeviced
A: _calendar
A: _ces
A: _clamav
A: _coreaudiod
A: _coremediaiod
A: _cvmsroot
A: _cvs
A: _cyrus
A: _devdocs
A: _devicemgr
A: _displaypolicyd
A: _distnote
A: _dovecot

How can I force QnA to run as sudo?

Also, I added the phrase “names of local users” to an Analysis and got < undefined > back for ALL our Mac systems. We don’t currently use OpenDirectory.

Here’s what I get from QnA on my Mac …

Q: names of local users
T: 4323

Q: name of current user
A: Admin
T: 1863

Q: number of local users
A: 0
T: 18763

You need to run it via command line with “sudo” in front.

If you are using the 9.2.4 client then its the following in Terminal:

sudo /Library/BESAgent/BESAgent.app/Contents/MacOS/QnA

I have all my macs returning an analysis of:

 names of users

which is a synonym on the Mac right now to local users and am getting replies back so this is strange if you get nothing. I’m adding the local users variant but it should be the same result

I created an Analysis with the NAMES OF USERS relevance, targeting Mac of Operating System.

I got 147 responses … 8 of the machines are returning Users.

Well first you are running 9.0.876 on OSX 10 where you should be running 9.2.4 (fixes an issue with patching) which may be a big part of it…

1 Like

I have been using this to find who has local admin rights.
Will this catch everyone with root on OSX? Anything I am missing?

(concatenations "; " of strings of values of arrays of values of entries whose(key of it = “users”) of dictionaries of files “/var/db/dslocal/nodes/Default/groups/admin.plist”)