[Casper] help and possible feature request, managing local users

Miles Leacy miles.leacy at themacadmin.com
Tue Dec 9 12:42:29 PST 2008 

I don't believe there is a Casper way (other than scripting, adding the
script to the JSS and creating a policy) to do what you describe.  In order
to delete an account using the accounts tab you need to know the short name
of the account.
The script you shared seems like the way to go.  You'll still need to demote
any unauthorized admins.  You can adapt your script to do that.
 I believe the operative bit will be:

dscl . delete /Groups/admin GroupMembership <shortname>

You can loop through /Users, as in your script.  It is possible that someone
may have been smart enough to move their home directory, so I might want to
look into looping through the local directory service instead of the /Users
folder.

Change $keep to your local admin account, and remove the numbered account
exclusion since you want to catch "08jdoe" if it is an admin account.

As far as not being the boss, I think most of us are in or have been in that
situation.  I suggest getting to know the person/people who *are* the
bosses.  Write up sensible policies and get the boss(es) to sign them.  I
mean print them out and have them actually put a pen to paper.  A policy
document signed by the CIO/Dean/Director/Boss holds more weight than you or
I do.

This also gives you a great, socially acceptable way out of confrontational
situations where users demand something out of scope.  With such a signed
policy, you should be held to it as well, since the boss approved it.  Then
when you're asked to violate it, you can simply say that you're not
authorized to grant the request.  Provide them with a copy of the policy
document and tell them that this policy was enacted by "The Boss" (whomever
signed the document).  If that doesn't stop them from trying to get you to
violate the policy, you can say something to the effect of "I understand,
technology should serve the goals of the organization.  If you feel strongly
that an exception or change to the policy is required in this case, I can
schedule a time when we can meet with "The Boss" to discuss it."  I've found
that most of the time, this ends the discussion.


----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com




2008/12/9 Thomas Larkin <tlarki at kckps.org>

>  Well, where to start....
>
>  My environment is huge.  Over 50 buildings, over 30 servers over 6,000
> clients with most of them being Macbooks.  It is a hassle to manage at
> times.  I am not in charge of everything nor am I management, so it puts me
> in a gray area at times when managing the client machines.  We have local
> user accounts that have been created that I want gone, however I am not sure
> what the names of those user accounts are.  We had a password leak and some
> users promoted their own accounts to admin, and I want to demote them.  We
> have a naming convention that starts with their graduation year.  So any
> user account under /Users that does not start with a number can be wiped,
> with one exception, the generic local account we created for local log ins
> just in case the network went down.  That account is called student.  I am
> trying to script something that will scan /Users and wipe out anything that
> does not start with a number.  I got some help from a bit more advanced
> shell scripter than myself and came up with this so far:
>
>  #! /bin/sh
>
>  keep="student"
>
>  cd /Users
>
> [[ $(pwd) != "/Users" ]] && echo warning cd failed && exit 2
>
>  for a in [^0-9]* ; do # only loop over names that doen't start with a
> number
>
>     [[ "$a" == "$keep" ]] && continue # skip that extra local account
>
>     /usr/bin/dscl . -delete /Users/$a # get rid of it
>
> echo 'removing user files'
>
>  /bin/rm -rf /Users/$a
>
>  done
>
>  I haven't had a lot of time to test it but it basically kills everything
> in /Users except those that start with a number.  My next questions are, is
> there a Casper solution to this, and how can I demote local accounts with
> Casper from a local admin to a mobile or managed local user?
>
>  Thoughts?
>
>  Thanks for anyone brave enough to read this.
>
>  Tom
>
> _______________________________________________
> Casper mailing list
> Casper at list.jamfsoftware.com
> http://list.jamfsoftware.com/mailman/listinfo/casper
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20081209/0a7eaa3a/attachment-0001.html

More information about the Casper mailing list