[Casper] help and possible feature request, managing local users

Thomas Larkin tlarki at kckps.org
Tue Dec 9 12:55:19 PST 2008 

OK, I was thinking about just changing the group membership back to
staff, but I guess deleting it from the admin group would probably be
the right move, since in OD they are already staff with their directory
UID and GID. 

As for the policy thing, this is our second year in a 1:1 and yes there
are changes, but like many things in our government, there is a process.
 It is getting better, and next year will be even better because I have
learned a lot from my users.  I have learned to never ever trust a
teenager with technology, hahahahahahaha.   

I will do some tinkering, but it would be nice to maybe have some
flexibility with Casper on something like this.  I think that large
educational deployments would love it, and probably most enterprise
business ones.   

As for my local admin accounts, they all live in /private/var so I can
sudo rm -rf /Users/* all day and it wouldn't affect my local admin
accounts.  

>>> "Miles Leacy" <miles.leacy at themacadmin.com> 12/09/08 2:42 PM >>>
I don't believe there is a Casper way (other than scripting, adding the
script to the JSS and creating a policy) to do what you describe.  In
order to delete an account using the accounts tab you need to know the
short name of the account. 


The script you shared seems like the way to go.  You'll still need to
demote any unauthorized admins.  You can adapt your script to do that. 
I believe the operative bit will be:


dscl . delete /Groups/admin GroupMembership <shortname> 



You can loop through /Users, as in your script.  It is possible that
someone may have been smart enough to move their home directory, so I
might want to look into looping through the local directory service
instead of the /Users folder. 



Change $keep to your local admin account, and remove the numbered
account exclusion since you want to catch "08jdoe" if it is an admin
account. 



As far as not being the boss, I think most of us are in or have been in
that situation.  I suggest getting to know the person/people who *are*
the bosses.  Write up sensible policies and get the boss(es) to sign
them.  I mean print them out and have them actually put a pen to paper. 
A policy document signed by the CIO/Dean/Director/Boss holds more weight
than you or I do. 



This also gives you a great, socially acceptable way out of
confrontational situations where users demand something out of scope. 
With such a signed policy, you should be held to it as well, since the
boss approved it.  Then when you're asked to violate it, you can simply
say that you're not authorized to grant the request.  Provide them with
a copy of the policy document and tell them that this policy was enacted
by "The Boss" (whomever signed the document).  If that doesn't stop them
from trying to get you to violate the policy, you can say something to
the effect of "I understand, technology should serve the goals of the
organization.  If you feel strongly that an exception or change to the
policy is required in this case, I can schedule a time when we can meet
with "The Boss" to discuss it."  I've found that most of the time, this
ends the discussion. 





----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com





2008/12/9 Thomas Larkin 
<tlarki at kckps.org> 




Well, where to start.... 


My environment is huge.  Over 50 buildings, over 30 servers over 6,000
clients with most of them being Macbooks.  It is a hassle to manage at
times.  I am not in charge of everything nor am I management, so it puts
me in a gray area at times when managing the client machines.  We have
local user accounts that have been created that I want gone, however I
am not sure what the names of those user accounts are.  We had a
password leak and some users promoted their own accounts to admin, and I
want to demote them.  We have a naming cwith a number can be wiped, with one exception, the generic local
account we created for local log ins just in case the network went down.
 That account is called student.  I am trying to script something that
will scan /Users and wipe out anything that does not start with a
number.  I got some help from a bit more advanced shell scripter than
myself and came up with this so far: 


#! /bin/sh 


keep="student" 


cd /Users 
[[ $(pwd) != "/Users" ]] && echo warning cd failed && exit 2 


for a in [^0-9]* ; do # only loop over names that doen't start with a
number 
    [[ "$a" == "$keep" ]] && continue # skip that extra local account 
    /usr/bin/dscl . -delete /Users/$a # get rid of it 
echo 'removing user files' 


/bin/rm -rf /Users/$a 


done 


I haven't had a lot of time to test it but it basically kills everything
in /Users except those that start with a number.  My next questions are,
is there a Casper solution to this, and how can I demote local accounts
with Casper from a local admin to a mobile or managed local user? 


Thoughts? 


Thanks for anyone brave enough to read this. 


Tom 


_______________________________________________
Casper mailing list
Casper at list.jamfsoftware.com
http://list.jamfsoftware.com/mailman/listinfo/casper




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20081209/c284825b/attachment.htm

More information about the Casper mailing list