Skip to content

Instantly share code, notes, and snippets.

@patgmac
Last active December 15, 2017 01:25
Show Gist options
  • Save patgmac/e9fcbbbcd274a077f4866564f0c458a0 to your computer and use it in GitHub Desktop.
Save patgmac/e9fcbbbcd274a077f4866564f0c458a0 to your computer and use it in GitHub Desktop.
#!/bin/bash
# checkUsersWithoutSecureToken.sh
#
# Purpose: Determines which users do not have a Secure Token on High Sierra
# This tells us which users will not be able to add other users via sysadminctl.
#
# Written by: Patrick Gallagher
OSvers=$( sw_vers -productVersion | cut -d. -f2 )
# Check if this is a pairing Workstation
if [[ ! -f /var/sandbox/com.homedepot.pairedprogramming.plist ]]; then
# not a PP Workstation
echo "<result>N/A</result>"
exit 0
fi
if [[ "$OSvers" -le 12 ]]; then
echo "<result>N/A</result>"
exit 0
fi
except=('casperadmin' 'mfe')
list=()
# generate user list of users that do have not have a secure token
for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do
TestAdminToken=$( (dscl . -read /Users/$username AuthenticationAuthority) 2>&1)
if [[ "$TestAdminToken" != *SecureToken* ]] &&
grep -qvFf <(printf '%s\n' "${except[@]}") <(echo "$username")
then
# Any reported accounts are added to the array list
list+=("$username")
fi
done
# Prints the array's list contents
echo "<result>${list[*]}</result>"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment