check admin status of user accounts on OS X

Enterprise environments are tightly controlled, often having one or perhaps 2 admin accounts, with all end users having standard accounts only. This is a good thing for various reasons, mostly so unapproved software, viruses, and malware are not installed onto company computers. However through general use, troubleshooting, repairing, software requirements, or a host of other reasons, user accounts may be elevated to admin status, so it is best to quickly be alerted of this so action can be taken to mitigate any problems before they occur. I’ve developed a script that is run periodically by Casper to examine user accounts in the /Users directory, and write the name of any unexpected admin account along with the computer it was found on to a central repository.

## This script checks all user accounts in the /Users directory for admin status, and 
if it finds any users outside of the AG standard admin accounts and 
local admin accounts or Mac Support AD group, writes a text file to 
CasperShare/MacAdminCheck with the computer name and which account 
was found to be an admin

ComputerName=`scutil --get ComputerName`
cd /Users
for i in `ls | grep -v [.]` 
 CheckAdmin=`dseditgroup -o checkmember -m $i admin`
 UserName=`echo "$CheckAdmin" | cut -d\ -f2 | awk '{print $1}' | cut -d\ -f1 | awk '{print $1}'`
 IsAdmin=`echo "$CheckAdmin" | cut -d\ -f1 | awk '{print $1}'`
 if [ "$IsAdmin" == "no" ]; then
 else ## Check the username against known admin accounts
      case "$UserName" in
                ## Is the user a member of the mac support AD group? Group members are granted admin rights, so exclude this possibility as well.
                CheckADMSAdmin=`dseditgroup -o checkmember -m $UserName mac\ support`
                if [ "$CheckADMSAdmin" == "yes $UserName is a member of mac support" ]; then
                     echo "$UserName is admin" > /Volumes/CasperShare/MacAdminCheck/$ComputerName-$UserName.txt

About this entry