<html>
<head>
<style type="text/css">
<!--
body { line-height: normal; margin-bottom: 1px; font-variant: normal; margin-right: 4px; margin-left: 4px; margin-top: 4px }
p { margin-bottom: 0; margin-top: 0 }
-->
</style>
</head>
<body>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">OK, I was thinking about just changing the group membership back to staff, but I guess deleting it from the admin group would probably be the right move, since in OD they are already staff with their directory UID and GID.</font> </p>
<br>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">As for the policy thing, this is our second year in a 1:1 and yes there are changes, but like many things in our government, there is a process. It is getting better, and next year will be even better because I have learned a lot from my users. I have learned to never ever trust a teenager with technology, hahahahahahaha. </font> </p>
<br>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">I will do some tinkering, but it would be nice to maybe have some flexibility with Casper on something like this. I think that large educational deployments would love it, and probably most enterprise business ones. </font> </p>
<br>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">As for my local admin accounts, they all live in /private/var so I can sudo rm -rf /Users/* all day and it wouldn't affect my local admin accounts. </font><br><br>>>> "Miles Leacy" <miles.leacy@themacadmin.com> 12/09/08 2:42 PM >>><br>I don't believe there is a Casper way (other than scripting, adding the script to the JSS and creating a policy) to do what you describe.  In order to delete an account using the accounts tab you need to know the short name of the account. </p>
<div content="text/html; charset=UTF-8" http-equiv="Content-Type">
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
The script you shared seems like the way to go.  You'll still need to demote any unauthorized admins.  You can adapt your script to do that.  I believe the operative bit will be:<br><br> </p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
dscl . delete /Groups/admin GroupMembership <shortname> </p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
You can loop through /Users, as in your script.  It is possible that someone may have been smart enough to move their home directory, so I might want to look into looping through the local directory service instead of the /Users folder. </p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
Change $keep to your local admin account, and remove the numbered account exclusion since you want to catch "08jdoe" if it is an admin account. </p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
As far as not being the boss, I think most of us are in or have been in that situation.  I suggest getting to know the person/people who *are* the bosses.  Write up sensible policies and get the boss(es) to sign them.  I mean print them out and have them actually put a pen to paper.  A policy document signed by the CIO/Dean/Director/Boss holds more weight than you or I do. </p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
This also gives you a great, socially acceptable way out of confrontational situations where users demand something out of scope.  With such a signed policy, you should be held to it as well, since the boss approved it.  Then when you're asked to violate it, you can simply say that you're not authorized to grant the request.  Provide them with a copy of the policy document and tell them that this policy was enacted by "The Boss" (whomever signed the document).  If that doesn't stop them from trying to get you to violate the policy, you can say something to the effect of "I understand, technology should serve the goals of the organization.  If you feel strongly that an exception or change to the policy is required in this case, I can schedule a time when we can meet with "The Boss" to discuss it."  I've found that most of the time, this ends the discussion. </p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
<div>
<p style="margin-top: 0; margin-bottom: 0">
----------<br>Miles A. Leacy IV<br><br> Certified System Administrator 10.4<br> Certified Technical Coordinator 10.5<br> Certified Trainer<br>Certified Casper Administrator<br>----------<br>voice: 1-347-277-7321<br><a href="mailto:miles.leacy@themacadmin.com">miles.leacy@themacadmin.com</a><br><a href="http://www.themacadmin.com">www.themacadmin.com</a><br><br><br><br><br> </p>
<div class="gmail_quote">
<p style="margin-top: 0; margin-bottom: 0">
2008/12/9 Thomas Larkin </p>
<div dir="ltr">
<p style="margin-top: 0; margin-bottom: 0">
<<a href="mailto:tlarki@kckps.org">tlarki@kckps.org</a>> </p>
</div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<blockquote class="gmail_quote" style="border-left: 1px #ccc solid; margin-bottom: 0; padding-left: 0; margin-right: 0; margin-left: 0; margin-top: 0">
<div>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">Well, where to start....</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">My environment is huge.  Over 50 buildings, over 30 servers over 6,000 clients with most of them being Macbooks.  It is a hassle to manage at times.  I am not in charge of everything nor am I management, so it puts me in a gray area at times when managing the client machines.  We have local user accounts that have been created that I want gone, however I am not sure what the names of those user accounts are.  We had a password leak and some users promoted their own accounts to admin, and I want to demote them.  We have a naming convention that starts with their graduation year.  So any user account under /Users that does not start with a number can be wiped, with one exception, the generic local account we created for local log ins just in case the network went down.  That account is called student.  I am trying to script something that will scan /Users and wipe out anything that does not start with a number.  I got some help from a bit more advanced shell scripter than myself and came up with this so far:</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">#! /bin/sh</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">keep="student"</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">cd /Users</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">[[ $(pwd) != "/Users" ]] && echo warning cd failed && exit 2</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">for a in [^0-9]* ; do # only loop over names that doen't start with a number</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">    [[ "$a" == "$keep" ]] && continue # skip that extra local account</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">    /usr/bin/dscl . -delete /Users/$a # get rid of it</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">echo 'removing user files'</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">/bin/rm -rf /Users/$a</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">done</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">I haven't had a lot of time to test it but it basically kills everything in /Users except those that start with a number.  My next questions are, is there a Casper solution to this, and how can I demote local accounts with Casper from a local admin to a mobile or managed local user?</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">Thoughts?</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">Thanks for anyone brave enough to read this.</font> </p>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
<p style="margin-top: 0; margin-bottom: 0">
<font face="Lucida Grande" size="3">Tom</font> </p>
</div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
_______________________________________________<br>Casper mailing list<br><a href="mailto:Casper@list.jamfsoftware.com">Casper@list.jamfsoftware.com</a><br><a href="http://list.jamfsoftware.com/mailman/listinfo/casper" target="_blank">http://list.jamfsoftware.com/mailman/listinfo/casper</a><br><br> </p>
</blockquote>
</div>
<p style="margin-top: 0; margin-bottom: 0">
<br>
</p>
</div>
</body>
</html>