I want to write an applescript program that first checks to see if the user has Admin privileges, and if it doesn't then requesting a re-log-in or something.
Eventually the script is going to need to do a sudo chmod of a folder I just created... I can do that with a do script and a with Administrator Priviledges.
However I haven't figured out how to either request admin privs for an applescript command, or even just check if the user HAS admin privs.
Anyone know? or at least point me at a GOOD applescript ref? (Apple.com reference is not helping me)
thanks.
A solution from the Apple forum:
if ("80" is not in (do shell script "id -G")) then
Error....
seems to do the trick. It's hard to read, and as Philip Regan said, I'm doing it via the command line, but it seems to give me the protection that I need...
Just use the with administrator privileges. If a user doesn't have admin privileges, Applescript will prompt them for name and password. Use a try ... on error block in case the user cancels, enters the wrong password or just plain doesn't have admin rights.
If you really want to know if the current user is an administrator, check that the user is in the admin group:
on amIAdmin()
set prevDelims to AppleScript's text item delimiters
set AppleScript's text item delimiters to " "
set groups to do shell script "id -G -n"
set groupList to text items of groups
set isAdmin to "admin" is in groupList
set AppleScript's text item delimiters to prevDelims
return isAdmin
end isAdmin
amIAdmin()
Here's another alternative solution which no one mentioned yet.
The dscl command allows you to perform a variety of Directory Service tasks and one of them is the ability to look up a user's account type.
The command: dscl . read /Groups/admin GroupMembership
will list all admin accounts on OS X.
So if you wanted to incorporate that into an AppleScript you could do the following:
set userName to "whatever username you wanted to check"
set readAdminGroup to do shell script "dscl . read /Groups/admin GroupMembership"
set AppleScript's text item delimiters to " "
set adminNames to text items of readAdminGroup
--loop through Admin Group to check if username exists
repeat with i in adminNames
if adminNames does not contain userName then
set isAdmin to false
else
set isAdmin to true
end if
end repeat
return isAdmin
Once you find out whether the variable isAdmin is true or false you can then perform a variety of functions. Also, if the script was being deployed or sent through ARD you could set the userName variable (the first line in the above script) to check for the current user with a whoami command. So the first line would then look like this:
set userName to do shell script "whoami"
I'm a little annoyed that System Events doesn't have a property in the user object for this, but the id and dscl based queries seem the best bet. For readability I use:
set imadmin to " admin " is in (do shell script "groups")
Note the spaces around admin. This prevents it form being mixed up with groups like lpadmin.
Via MacScripter.net this should be a start: Managing Permissions (page 2 of 2)
Related
Trying to set some firewall rules for a machine on a domain. It requires admin permissions through cmd prompt to set them, however I want to use the %username% variable as the command requires a specific folder stored in the logged in users appdata to be allowed.
Is there anyway to work around this?
As when launching cmd prompt as admin, it uses my admin username in %username% rather than the logged in user and I'm hoping to automate this. Needs to be done through cmd/powershell/batch.
Have managed to resolve it myself. I've managed to save the variable to a file, and call that file into a second command prompt session elevated as admin and use a different variable.
First:
echo %USERNAME%>C:\dir\file.txt
Second:
cd C:\dir\
set /P uname=<uname.txt
echo %uname%
Is there a CMD command to set an existing Windows user's property's checkbox, "Password never expires", to be unchecked? (Assumption: The checkbox was previously checked before I unchecked it manually to illustrate the box being unchecked)
I am creating a batch file for windows 10 and I would like to do it programmatically. (I am hardening an OS and baselining it.)
I looked at the CMD command: net user and it does have several password options such as /passwordchg to specify a user can change their own password and /passwordreq which specifies a user must have a password. I find it strange that there isn't one for "Password never expires" (i.e. /passwordexp:{YES|NO}) so my batch file can uncheck that option programmatically. I'm probably missing it in my Google searches but I am unable to find a solution. I include a excerpt of my code:
...
...
net user %Name% /<somePasswordExpireOption:YES
...
...
Any suggestions are welcome. Thanks in advance.
Perhaps, as long as they are local not domain:
WMIC UserAccount Where "Name='%Name%'" Set PasswordExpires=FALSE
So I made a script in applescript that uses the "do shell script" command to run a terminal command for google apps manager (if you dont know what that is,it isnt important). I am making a cocoa applescript application and wanted to include this script in the functionalities. The script basically resets passwords for users.
Below I have provided the script in script editor and in xcode. The problem I am running into is that the script works just fine when I run it through script editor but it doesn't work when I run it in xcode. The error is as follows in bold.
--
2015-08-11 18:49:03.205 DMA Tech Team[16153:1910832] *** -[AppDelegate Passwordreset:]: python: can't open file 'Users/Nikhil/Desktop/gam/gam.py': [Errno 2] No such file or directory (error 2)
The weird thing is that my "gam" directory and "gam.py" file are all definitely in the correct place so there shouldn't even be an error.
I was wondering if there is something special I have to do for this that is different in applescript obj c than in just plane applescript?
Note "CTN" is just a email address. checkEmail() is a function that checks to see if that email entered already exists, it is not the reason for the error.
Script in Script Editor
set User to short user name of (system info)
display dialog "What is the ctn?" default answer ""
set theCTN to text returned of result
display dialog "What is the new password?" default answer ""
set thePassword to text returned of result
do shell script "python Users/" & User & "/Desktop/gam/gam.py update user " & theCTN & " password " & thePassword
Script in Xcode's app delegate
on Passwordreset_(sender)
set User to short user name of (system info)
set theCTN to RESETPASSIND_CTN's stringValue() as text
set thePassword to RESETPASSIND_PASSWORD's stringValue() as text
do shell script "python Users/" & User & "/Desktop/gam/gam.py update user " & theCTN & " password " & thePassword
end Passwordreset_
Thanks!!
You are using a relative pathname (Users/...) instead of an absolute path (/Users/...)
XCode projects tend to start in an obscure project build directory.
Presumably (I haven't checked) the Script Editor is starting in "/".
Could someone tell me what is wrong with this:
tell application "Terminal"
activate
tell application "System Events"
keystroke "sudo"
keystroke return
keystroke "purge"
keystroke return
end tell:
end tell
Not sure why you want to use Automator and Applescript and things when you can do that perfectly well in a bash shell script.
If you copy this file and save it on your Desktop as purgenow
#!/bin/bash
sudo /usr/sbin/purge
then start Terminal and make the script executable like this
chmod +x ~/Desktop/purgenow
you will be able to double-click it and run the script.
The command with the sudo, should really only work if you have adminstrator rights on your account, or are logged in as root, as normally you'd be prompted for a password, you'll have a hard time entering the password for the shell - utility from AppleScript.
Instead, you can excempt the whole sudo command, as you can have the do shell script event take care of that for you, either by specifying the password by performing a do shell script with administrator privileges and enter the account name that holds the administrator rights, and password, when prompted.
You can also specify predicates to the do shell script event that lets you specify both username and password, to get rid of the prompt for password dialog, and have the purge command run automatically with administrator privileges.
It may under some circumstances be feasible to prepend the do shell scriptevent with tell me, for the case that the do shell script event is called from within an application block, (which is bad style really, and should be avoided whenever possible).
do shell script "/usr/sbin/purge" with administrator privileges use name "Admin" password "password"
You can read about the do shell script event in the Standard Additions dictionary of Script Editor. There is also a Technical Note, you may wish to skim: Technical Note TN2065: do shell script in AppleScript.
I need to create a script to periodically delete files from a user's folder that contains files that have read only access to standard users. I have a script that works perfectly but it asks for authentication. I need it to run it unattended...
I'm not sure what process or command is giving you the authentication window (your question is not clear about that) but you can use do shell script for file handling without being asked for authentication.
do shell script "rm /path/to/file" password "<password>" with administrator privileges
Of course you need to have already administrator privileges.