This is a quick script that will create a local admin user on an Apple OS X client. Why is this useful? If you are establishing a managed Mac client system (e.g. salt, puppet, munki, absolute, god forbid SCCM) for the first time and have no existing tools and need to begin enrolling clients, this is a great one-off script that will save you 5 mi…

set_osx_admin.py

#!/usr/bin/python

import datetime
import os
import subprocess
import re
import random
import logging

fullname = "John Appleseed"
accountname = "jappleseed"

log = logging.getLogger(__name__)
log.setLevel(logging.DEBUG)

fh = logging.FileHandler('/tmp/setadmin.log')
fh.setLevel(logging.DEBUG)

ch = logging.StreamHandler()
ch.setLevel(logging.DEBUG)

formatter = logging.Formatter('[%(asctime)s] [%(name)s] [%(levelname)s] %(message)s')
fh.setFormatter(formatter)
ch.setFormatter(formatter)

log.addHandler(fh)
log.addHandler(ch)

def sh(script):
    """
    Opens bash shell subprocess; returns stdout(0), stderr(1), PID(2), and returncode(3) in a respective list
    """

    log.debug('> sh(%s)' % script)
    p = subprocess.Popen(script, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = p.communicate()

    ret = [out, err, p.pid, p.returncode]
    log.debug('< sh: %s' % ret)
    return ret

def rand(i=128):
    """
    Generate random long of i length
    """
    log.debug('> rand(%s)' % i)
    ret = "%032x" % random.getrandbits(i)
    
    log.debug('< rand: %s' % ret)
    return ret

def verify_account_name(name):
    """
    Pass an account name as argument to check if it already exists or not via dscl filtering
    """

    lookup = sh("sudo dscl . -list /Users")
    
    for i in lookup[0].splitlines():
        match = re.match(r'^%s$' % name, i)
        if match:
            print("Account Name %s already exists as: %s" % (name, match.group(0)))
            return True

    return False

def verify_unique_id(uid):
    """
    Pass a UID as argument to check if it already exists or not via dscl filtering
    """

    lookup = sh("sudo dscl . -list /Users UniqueID")

    for i in lookup[0].splitlines():
        match = re.match(r'^\w+[ ]+(%s)$' % uid, i)
        if match:
            print("UID %s already exists as: %s" % (uid, match.group(1)))
            return True

    return False

def create_account(create_fullname, create_accountname):
    """
    Create account by verifying uniqueness of account name and UID, then run shell commands to make account.
    Returns True when done
    """

    if verify_account_name(create_accountname):
        return True
    
    create_uid = int(float(sh("sudo dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1")[0])) + 1
    verify_unique_id(create_uid)

    make_account = (
        "sudo dscl . -create /Users/%(accountname)s",
        "sudo dscl . -create /Users/%(accountname)s UserShell /bin/bash",
        "sudo dscl . -create /Users/%(accountname)s RealName \"%(fullname)s\"",
        "sudo dscl . -create /Users/%(accountname)s UniqueID \"%(uid)s\"",
        "sudo dscl . -create /Users/%(accountname)s PrimaryGroupID 20",
        "sudo dscl . -create /Users/%(accountname)s NFSHomeDirectory /Users/%(accountname)s",
        "sudo dscl . -passwd /Users/%(accountname)s \"%(password)s\"",
        "sudo dscl . -append /Groups/admin GroupMembership%(accountname)s",
        "sudo dscl . -append /Groups/_appserveradm GroupMembership%(accountname)s",
        "sudo dscl . -append /Groups/_appserverusr GroupMembership%(accountname)s"
    )

    for i in make_account:
        sh(i % {
            "accountname": create_accountname,
            "fullname": create_fullname,
            "uid": create_uid,
            "password": rand()
        })

    return True

def main():
    create_account(fullname, accountname)

if __name__ == '__main__':
    main()