That is interesting. I'd contact JAMF support and ask about it. Let me know what they say.<div><br></div><div>My guess is that whatever method is used to gather the local account info via Recon either has a bug or is running into a bug in the Mac OS.<br clear="all">
<br>----------<br>Miles A. Leacy IV<br><br> Certified System Administrator 10.4<br> Certified Technical Coordinator 10.5<br> Certified Trainer<br>Certified Casper Administrator<br>----------<br>voice: 1-347-277-7321<br>
<a href="mailto:miles.leacy@themacadmin.com">miles.leacy@themacadmin.com</a><br><a href="http://www.themacadmin.com">www.themacadmin.com</a><br><br><br>
<br><br><div class="gmail_quote">On Wed, Dec 10, 2008 at 4:36 PM, Mark Hughes <span dir="ltr"><<a href="mailto:mahughe@kckps.org">mahughe@kckps.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Mark Hughes, Apple Technician<br>
TIS Department, KCKPS USD500<br>
Cell 913-449-7791<br>
<a href="mailto:mahughe@kckps.org">mahughe@kckps.org</a><br>
>>> "Miles Leacy" <<a href="mailto:miles.leacy@themacadmin.com">miles.leacy@themacadmin.com</a>> 12/10/08 3:31 PM >>><br>
<div class="Ih2E3d">Under Leopard (10.5.5), if you have a network account, and check the box<br>
in<br>
System Preferences to make it an admin account, the account becomes a<br>
member<br>
of the admin group (80) on the local machine.<br>
<br>
If you run "dscl . read /Groups/admin" on a the same computer, the<br>
shortname<br>
of your network account should appear in the "GroupMembership" line of<br>
dscl's output.<br>
<br>
I'm not sure I'm understanding the "double entries" part. Can you send<br>
a<br>
screenshot of the output you're referring to?<br>
<br>
----------<br>
Miles A. Leacy IV<br>
<br>
Certified System Administrator 10.4<br>
Certified Technical Coordinator 10.5<br>
Certified Trainer<br>
Certified Casper Administrator<br>
----------<br>
voice: 1-347-277-7321<br>
<a href="mailto:miles.leacy@themacadmin.com">miles.leacy@themacadmin.com</a><br>
<a href="http://www.themacadmin.com" target="_blank">www.themacadmin.com</a><br>
<br>
<br>
<br>
<br>
</div><div><div></div><div class="Wj3C7c">On Wed, Dec 10, 2008 at 4:15 PM, Thomas Larkin <<a href="mailto:tlarki@kckps.org">tlarki@kckps.org</a>> wrote:<br>
<br>
> That is what I thought but wasn't 100% on it. Everyone is part of<br>
staff<br>
> (20) but this is reading it off the directory LDAP. So, if a user<br>
goes into<br>
> System Preferences, and checks the box that says allow this user to<br>
> administer this computer on their mobile account, will it add the<br>
admin<br>
> group, or will it list the user under /Groups/admin on the machine<br>
locally?<br>
><br>
> As far as I can tell it doesn't do either. When I invoke the dscl<br>
> command it lists no one under the /Groups/admin on that machine<br>
locally.<br>
> When I run the id command on a user it pulls up their info from LDAP,<br>
not<br>
> the local machine.<br>
><br>
> I guess is what I am trying to get to the bottom of is, how do I tell<br>
if<br>
> a user has checked the box to flag them as an administrator for just<br>
that<br>
> machine in System Preferences? Perhaps that is why I am getting the<br>
double<br>
> entries in the JSS inventory?<br>
><br>
> Thoughts?<br>
><br>
> Thanks again for reading and helping with this,<br>
><br>
> Tom<br>
><br>
> >>> "Miles Leacy" <<a href="mailto:miles.leacy@themacadmin.com">miles.leacy@themacadmin.com</a>> 12/10/08 3:06 PM >>><br>
><br>
> I don't know if I'm misunderstanding your message, but it sounds like<br>
> you're saying that membership in admin (80) is inherited by membership<br>
in<br>
> staff (20).<br>
><br>
><br>
> I don't believe that's the case. All accounts are members of staff<br>
by<br>
> default. Only admin users are members of admin. An account can be a<br>
member<br>
> of staff but not be a member of admin.<br>
><br>
><br>
> The output is showing you the following:<br>
><br>
> uid=<the account's user ID> gid=<the account's "primary group ID", as<br>
seen<br>
> in Workgroup Manager, Groups tab> # What follows is a list of all of<br>
the<br>
> groups that the account in question belongs to, including the "primary<br>
> group". This is why you see "staff" appear twice in the command's<br>
> output. The first instance lets you know what the account's "primary<br>
group"<br>
> is, and it appears again when listing all groups that the account is a<br>
> member of.<br>
><br>
><br>
> My apologies if I misunderstood your message.<br>
><br>
><br>
> ----------<br>
> Miles A. Leacy IV<br>
><br>
> Certified System Administrator 10.4<br>
> Certified Technical Coordinator 10.5<br>
> Certified Trainer<br>
> Certified Casper Administrator<br>
> ----------<br>
> voice: 1-347-277-7321<br>
> <a href="mailto:miles.leacy@themacadmin.com">miles.leacy@themacadmin.com</a><br>
> <a href="http://www.themacadmin.com" target="_blank">www.themacadmin.com</a><br>
><br>
><br>
><br>
><br>
</div></div><div class="Ih2E3d">> 2008/12/10 Ryan Harter<br>
><br>
> <<a href="mailto:rharter@uwsp.edu">rharter@uwsp.edu</a>><br>
><br>
><br>
> _lpadmin is the CUPS account that correlates to the lpadmin command<br>
you<br>
>> find in the terminal. I can't tell you why this account is showing<br>
up<br>
>> twice, but since it is a member for the staff group that should make<br>
it<br>
>> admin. Our local amdinistrator account is uid=501(adm) gid=20(staff)<br>
...<br>
>><br>
>><br>
>> AFAIK the user is not directly a member of the admin group, but<br>
staff<br>
>> is, so it's like embedded groups.<br>
>><br>
>> *<br>
>> Ryan Harter*<br>
>><br>
>> UW - Stevens Point<br>
>><br>
>> Workstation Developer<br>
>><br>
>> 715.346.2716<br>
>><br>
>> <a href="mailto:Ryan.Harter@uwsp.edu">Ryan.Harter@uwsp.edu</a><br>
>><br>
>><br>
>><br>
>> On Dec 10, 2008, at 2:08 PM, Thomas Larkin wrote:<br>
>><br>
>><br>
>><br>
>> everyone,<br>
>><br>
>><br>
</div>>> So a user has a true flag unde>> User in the JSS shows this:<br>
<div><div></div><div class="Wj3C7c">>><br>
>> Username<br>
>><br>
>> Real Name<br>
>><br>
>> UID<br>
>><br>
>> Home Directory<br>
>><br>
>> Home Directory Size<br>
>><br>
>> Admin<br>
>><br>
>> File Vault Enabled<br>
>><br>
>> Mia Green 22221 /Users/11miagre 5.28 GB true false<br>
>><br>
>> 11miagre Mia Green 22221 /Users/11miagre 5.28 GB false false<br>
>><br>
>> student KCK Student 505 /Local/Users/student N/A false false<br>
>><br>
>><br>
>> For some reason it shows the user name twice and on the top one it<br>
says<br>
>> True False, the First True being the admin flag<br>
>><br>
>><br>
>> Now, when I ssh into said client machine and do some digging I find<br>
>> this:<br>
>><br>
>><br>
>> id 11miagre<br>
>><br>
>> uid=22221(11miagre) gid=20(staff)<br>
>><br>
groups=20(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),104(com.apple.sharepoint.group.2),1042(allstudents),1053(washington_2011)<br>
>><br>
>><br>
>> GID 98 shows as _lpadmin what the heck is that? Google says it<br>
>> configures the print system, so I must assume it is a daemon from the<br>
OS?<br>
>><br>
>><br>
>> Anyone else see this stuff? Also dscl does not list this user<br>
under<br>
>> /Groups/admin either<br>
>><br>
>><br>
>> Thanks<br>
>><br>
>><br>
>> ___________________________<br>
>> Thomas Larkin<br>
>> TIS Department<br>
>> KCKPS USD500<br>
>> <a href="mailto:tlarki@kckps.org">tlarki@kckps.org</a><br>
>> blackberry: 913-449-7589<br>
>> office: 913-627-0351<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> <ATT00001.txt><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Casper mailing list<br>
>> <a href="mailto:Casper@list.jamfsoftware.com">Casper@list.jamfsoftware.com</a><br>
>> <a href="http://list.jamfsoftware.com/mailman/listinfo/casper" target="_blank">http://list.jamfsoftware.com/mailman/listinfo/casper</a><br>
>><br>
>><br>
><br>
<br>
</div></div></blockquote></div><br></div>