Archive

Archive for March 9, 2013

Checking for accounts with Remote Management rights

March 9, 2013 3 comments

Something a number of Mac admins need to know about the Macs in their environment is being able to detect which accounts have remote management rights on a particular Mac. Crafty users can be inventive about finding ways to grant themselves remote management rights, so admins need to be just as perceptive about identifying which accounts have remote management rights.

To help with the task of identifying which accounts have remote management rights, I’ve written a script to detect which local accounts had remote rights on a particular Mac.


#!/bin/sh

# Determines if the Remote Management settings are set
# for "All Users" or for "Only these users:" in System
# Preferences' Sharing preference pane

ARD_ALL_LOCAL=`/usr/bin/defaults read /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers`

# Lists all local user accounts on the Mac with a UID 
# of greater or equal to 500 and less than 1024. This 
# should exclude all system accounts and network accounts
# 
# List is displayed if the "All Users" setting is 
# set in the Remote Management settings.

ALL_ID500_PLUS_LOCAL_USERS=`/usr/bin/dscl . list /Users UniqueID | awk '$2 >= 500 && $2 < 1024 { print $1; }'`

# Lists all user accounts on the Mac that have been given
# explicit Remote Management rights. List is displayed if 
# the "Only these users:" setting is set in the Remote 
# Management settings.

REMOTE_MANAGEMENT_ENABLED_USERS=`/usr/bin/dscl . list /Users naprivs | awk '{print $1}'`


if [ "$ARD_ALL_LOCAL" = "1" ]; then
        result=$ALL_ID500_PLUS_LOCAL_USERS
elif [ "$ARD_ALL_LOCAL" = "0" ]; then
        result=$REMOTE_MANAGEMENT_ENABLED_USERS
fi

# Displays list of accounts that have 
# been given Remote Management rights

echo $result

I’ve posted the script here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_for_remote_management_accounts

I’ve also modified it for use as an Casper Extension attribute. I’ve posted it here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_for_remote_management_accounts

Follow

Get every new post delivered to your Inbox.

Join 151 other followers

%d bloggers like this: