[Casper] JSS user reporting user as admin dscl says no?

Mark Hughes mahughe at kckps.org
Wed Dec 10 13:36:02 PST 2008 

Mark Hughes, Apple Technician
TIS Department, KCKPS USD500
Cell 913-449-7791
mahughe at kckps.org
>>> "Miles Leacy" <miles.leacy at themacadmin.com> 12/10/08 3:31 PM >>>
Under Leopard (10.5.5), if you have a network account, and check the box
in
System Preferences to make it an admin account, the account becomes a
member
of the admin group (80) on the local machine.

If you run "dscl . read /Groups/admin" on a the same computer, the
shortname
of your network account should appear in the "GroupMembership" line of
dscl's output.

I'm not sure I'm understanding the "double entries" part.  Can you send
a
screenshot of the output you're referring to?

----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com




On Wed, Dec 10, 2008 at 4:15 PM, Thomas Larkin <tlarki at kckps.org> wrote:

>  That is what I thought but wasn't 100% on it.  Everyone is part of
staff
> (20) but this is reading it off the directory LDAP.  So, if a user
goes into
> System Preferences, and checks the box that says allow this user to
> administer this computer on their mobile account, will it add the
admin
> group, or will it list the user under /Groups/admin on the machine
locally?
>
>  As far as I can tell it doesn't do either.  When I invoke the dscl
> command it lists no one under the /Groups/admin on that machine
locally.
>  When I run the id command on a user it pulls up their info from LDAP,
not
> the local machine.
>
>  I guess is what I am trying to get to the bottom of is, how do I tell
if
> a user has checked the box to flag them as an administrator for just
that
> machine in System Preferences?  Perhaps that is why I am getting the
double
> entries in the JSS inventory?
>
>  Thoughts?
>
>  Thanks again for reading and helping with this,
>
>  Tom
>
> >>> "Miles Leacy" <miles.leacy at themacadmin.com> 12/10/08 3:06 PM >>>
>
> I don't know if I'm misunderstanding your message, but it sounds like
> you're saying that membership in admin (80) is inherited by membership
in
> staff (20).
>
>
>   I don't believe that's the case.  All accounts are members of staff
by
> default.  Only admin users are members of admin.  An account can be a
member
> of staff but not be a member of admin.
>
>
>   The output is showing you the following:
>
> uid=<the account's user ID> gid=<the account's "primary group ID", as
seen
> in Workgroup Manager, Groups tab> # What follows is a list of all of
the
> groups that the account in question belongs to, including the "primary
> group".  This is why you see "staff" appear twice in the command's
> output.  The first instance lets you know what the account's "primary
group"
> is, and it appears again when listing all groups that the account is a
> member of.
>
>
>   My apologies if I misunderstood your message.
>
>
> ----------
> Miles A. Leacy IV
>
>  Certified System Administrator 10.4
>  Certified Technical Coordinator 10.5
>  Certified Trainer
> Certified Casper Administrator
> ----------
> voice: 1-347-277-7321
> miles.leacy at themacadmin.com
> www.themacadmin.com
>
>
>
>
>   2008/12/10 Ryan Harter
>
> <rharter at uwsp.edu>
>
>
>   _lpadmin is the CUPS account that correlates to the lpadmin command
you
>> find in the terminal.  I can't tell you why this account is showing
up
>> twice, but since it is a member for the staff group that should make
it
>> admin.  Our local amdinistrator account is uid=501(adm) gid=20(staff)
...
>>
>>
>>   AFAIK the user is not directly a member of the admin group, but
staff
>> is, so it's like embedded groups.
>>
>> *
>> Ryan Harter*
>>
>> UW - Stevens Point
>>
>> Workstation Developer
>>
>> 715.346.2716
>>
>>  Ryan.Harter at uwsp.edu
>>
>>
>>
>>   On Dec 10, 2008, at 2:08 PM, Thomas Larkin wrote:
>>
>>
>>
>>   everyone,
>>
>>
>>   So a user has a true flag unde>>   User in the JSS shows this:
>>
>> Username
>>
>> Real Name
>>
>> UID
>>
>> Home Directory
>>
>> Home Directory Size
>>
>> Admin
>>
>> File Vault Enabled
>>
>> Mia Green 22221 /Users/11miagre 5.28 GB true false
>>
>> 11miagre Mia Green 22221 /Users/11miagre 5.28 GB false false
>>
>> student KCK Student 505 /Local/Users/student N/A false false
>>
>>
>>   For some reason it shows the user name twice and on the top one it
says
>> True False, the First True being the admin flag
>>
>>
>>   Now, when I ssh into said client machine and do some digging I find
>> this:
>>
>>
>>    id 11miagre
>>
>> uid=22221(11miagre) gid=20(staff)
>>
groups=20(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),104(com.apple.sharepoint.group.2),1042(allstudents),1053(washington_2011)
>>
>>
>>   GID 98 shows as _lpadmin what the heck is that?  Google says it
>> configures the print system, so I must assume it is a daemon from the
OS?
>>
>>
>>   Anyone else see this stuff?  Also dscl does not list this user
under
>> /Groups/admin either
>>
>>
>>   Thanks
>>
>>
>> ___________________________
>> Thomas Larkin
>> TIS Department
>> KCKPS USD500
>> tlarki at kckps.org
>> blackberry:  913-449-7589
>> office:  913-627-0351
>>
>>
>>
>>
>>
>>    <ATT00001.txt>
>>
>>
>>
>> _______________________________________________
>> Casper mailing list
>> Casper at list.jamfsoftware.com
>> http://list.jamfsoftware.com/mailman/listinfo/casper
>>
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture 5.png
Type: image/png
Size: 103212 bytes
Desc: Portable Network Graphics Format
Url : http://list.jamfsoftware.com/pipermail/casper/attachments/20081210/d9c70be3/attachment-0001.png

More information about the Casper mailing list