Mac Os X List Groups For User

Mac Os X List Groups For User Manual
Mac Os X List Groups For User List
List Of Mac Os Releases
Mac Os Versions List

User groups are easy, right? A user is either a member or they are not.

Once you start thinking about the details and want or need to automate some of the aspects of user and group management on macOS, there is a lot of devil in those details.

Jul 05, 2016 How to List All User Accounts on a Mac from Command Line. Open the Terminal if you haven’t done so already, either on the local machine you want to list user accounts for, or by connecting to a remote Mac you’d like to see the user accounts on. We’ll then use the ‘dscl’ command, which works in all versions of Mac OS X system software. In Mac OS X, however, Apple decided to reserve the capability to create and manage groups of users and to offer the capability to create share points outside the Mac OS X public folders (including those for individual users and the public folder for all users of a computer) for Mac OS X Server. This simplified user management for individual. Macintosh file sharing (and indeed, OS X Mountain Lion as well) is based on the concept of users. You can share items — such as drives or folders — with no users, one user, or many users, depending on your needs. Users: People who share folders and drives (or your Mac) are users.

User Membership

You can easily list all groups a given user is a member of. The id command will show all the groups the current user is a member of. id -Gn will list just the groups. Add a username to the id command to see the information for a different user. The groups command does the same as id -Gn.

You can also run a command to check if a given user is a member of a group:

Group Membership

So far, so good.

A user is a member of a group when one of these applies:

the user’s PrimaryGroupID attribute matches the PrimaryGroupID of the group
the user’s UUID is listed in the group’s GroupMembers attribute and the user’s shortname is listed in the group’s GroupMembership
the user is a member of a group nested in the group

Note: you should not attempt to manipulate the GroupMembers or GroupMembership attributes directly. Use the dseditgroup -o edit command to manage group membership instead. dseditgroup syntax is weird, but it is a really useful tool. Study its man page.

Listing Group Members

Sometimes (mainly for security audits) you need to list all the members of a group. With the above information, it is easy enough to build a script that checks the PrimaryGroupID, the GroupMembership attribute and the recursively loops through the NestedGroups.

This is confused by the fact that PrimaryGroupID stores the numeric User ID, GroupMembership uses the shortname and NestedGroups uses UUIDs. Nevertheless, you can sort through it.

I have written exactly such a script here:

View the code on Gist.

In most cases this script will work fine. But, (and you knew there would be a “but”) macOS has a very nasty wrench to throw in our wheels.

Calculated Groups

There are a few groups on macOS, that have neither GroupMembers, GroupMembership, nor NestedGroups, but still have members. This is because the system calculates membership dynamically. This is similar to Smart Playlists in iTunes, Smart Folders in Finder, or Smart Groups in Jamf Pro.

You can list all calculated groups on macOS with:

The most interesting calculated groups are everyone, localaccounts, and netaccounts.

These groups can be very useful in certain environments. For example in a DEP setup you could add localaccounts or everyone to the _lpadmin and _developer groups, before the user has even created their standard account. That way any user created on that Mac will can manage printers and use the developer tools.

However, since these groups are calculated magically, a script cannot list all the members of any of these groups. (My script above will show a warning, when it encounters one of these groups.)

While it would probably not be wise to nest the everybody group in the admin group, a malicious user could do that and hide from detection with the above script (or similar methods).