[Casper] JSS user reporting user as admin dscl says no?

Wed Dec 10 13:30:17 PST 2008

Under Leopard (10.5.5), if you have a network account, and check the box in
System Preferences to make it an admin account, the account becomes a member
of the admin group (80) on the local machine.

If you run "dscl . read /Groups/admin" on a the same computer, the shortname
of your network account should appear in the "GroupMembership" line of
dscl's output.

I'm not sure I'm understanding the "double entries" part.  Can you send a
screenshot of the output you're referring to?

----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

On Wed, Dec 10, 2008 at 4:15 PM, Thomas Larkin <tlarki at kckps.org> wrote:

>  That is what I thought but wasn't 100% on it.  Everyone is part of staff
> (20) but this is reading it off the directory LDAP.  So, if a user goes into
> System Preferences, and checks the box that says allow this user to
> administer this computer on their mobile account, will it add the admin
> group, or will it list the user under /Groups/admin on the machine locally?
>
>  As far as I can tell it doesn't do either.  When I invoke the dscl
> command it lists no one under the /Groups/admin on that machine locally.
>  When I run the id command on a user it pulls up their info from LDAP, not
> the local machine.
>
>  I guess is what I am trying to get to the bottom of is, how do I tell if
> a user has checked the box to flag them as an administrator for just that
> machine in System Preferences?  Perhaps that is why I am getting the double
> entries in the JSS inventory?
>
>  Thoughts?
>
>  Thanks again for reading and helping with this,
>
>  Tom
>
> >>> "Miles Leacy" <miles.leacy at themacadmin.com> 12/10/08 3:06 PM >>>
>
> I don't know if I'm misunderstanding your message, but it sounds like
> you're saying that membership in admin (80) is inherited by membership in
> staff (20).
>
>
>   I don't believe that's the case.  All accounts are members of staff by
> default.  Only admin users are members of admin.  An account can be a member
> of staff but not be a member of admin.
>
>
>   The output is showing you the following:
>
> uid=<the account's user ID> gid=<the account's "primary group ID", as seen
> in Workgroup Manager, Groups tab> # What follows is a list of all of the
> groups that the account in question belongs to, including the "primary
> group".  This is why you see "staff" appear twice in the command's
> output.  The first instance lets you know what the account's "primary group"
> is, and it appears again when listing all groups that the account is a
> member of.
>
>
>   My apologies if I misunderstood your message.
>
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
>   2008/12/10 Ryan Harter
>
> <rharter at uwsp.edu>
>
>
>   _lpadmin is the CUPS account that correlates to the lpadmin command you
>> find in the terminal.  I can't tell you why this account is showing up
>> twice, but since it is a member for the staff group that should make it
>> admin.  Our local amdinistrator account is uid=501(adm) gid=20(staff) ...
>>
>>
>>   AFAIK the user is not directly a member of the admin group, but staff
>> is, so it's like embedded groups.
>>
>> *
>> Ryan Harter*
>>
>> UW - Stevens Point
>>
>> Workstation Developer
>>
>> 715.346.2716
>>
>>  Ryan.Harter at uwsp.edu
>>
>>
>>
>>   On Dec 10, 2008, at 2:08 PM, Thomas Larkin wrote:
>>
>>
>>
>>   everyone,
>>
>>
>>   So a user has a true flag under their account in the JSS for the
>> inventory of that machine, I will just copy/paste an example, sorry if it
>> doesn't format correctly.
>>
>>
>>   User in the JSS shows this:
>>
>> Username
>>
>> Real Name
>>
>> UID
>>
>> Home Directory
>>
>> Home Directory Size
>>
>> Admin
>>
>> File Vault Enabled
>>
>> Mia Green 22221 /Users/11miagre 5.28 GB true false
>>
>> 11miagre Mia Green 22221 /Users/11miagre 5.28 GB false false
>>
>> student KCK Student 505 /Local/Users/student N/A false false
>>
>>
>>   For some reason it shows the user name twice and on the top one it says
>> True False, the First True being the admin flag
>>
>>
>>   Now, when I ssh into said client machine and do some digging I find
>> this:
>>
>>
>>    id 11miagre
>>
>> uid=22221(11miagre) gid=20(staff)
>> groups=20(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),104(com.apple.sharepoint.group.2),1042(allstudents),1053(washington_2011)
>>
>>
>>   GID 98 shows as _lpadmin what the heck is that?  Google says it
>> configures the print system, so I must assume it is a daemon from the OS?
>>
>>
>>   Anyone else see this stuff?  Also dscl does not list this user under
>> /Groups/admin either
>>
>>
>>   Thanks
>>
>>
>> ___________________________
>> Thomas Larkin
>> TIS Department
>> KCKPS USD500
>> tlarki at kckps.org
>> blackberry:  913-449-7589
>> office:  913-627-0351
>>
>>
>>
>>
>>
>>    <ATT00001.txt>
>>
>>
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20081210/ba3e4b08/attachment.htm 