Help making new user script
 

If I could pull from the knowledge of users, IT admins, etc. to help make an applescript or something that will allow me, and others, to make user accounts with particular system/application settings (preferences). I know where particular .plist files are for most everything i want to change (i.e. Safari, dock, software updater, etc.) i do have trouble setting SAV 10 corpoarte edition, but that's another story. I would like to have the script prompt for user name and short name, but set the password to "blank" (no password, so it could be setup by the end user). Then of course setup user's home directory, accordingly. I want to be able to run the script multiple times, and make users without anything being changed in the script/application. So, UID are made accordingly without intervention.

Hopefully, this should be easy...but, I don't know where to start. :confused:

can you say more about how you intend it to be used? the reason I'm asking is that applescript is not particularly secure. a shell script would be better from a security standpoint (that's what my uni uses to let students set up their own accounts) but not a lot of newbies can deal with a shell. PHP might be better from that standpoint (since you can give it a nice html front-end) but then you have other issues arising because it's a web app...

what are you envisioning?

What platform? 10.4 and previous use netinfo manager to store user information, 10.5 and higher use the directory services, so it is going to differ from what platform you are using.

an applescript would be nice, so that i could potentially package some file that need to be copied, a shell script could do the trick also (shell script would be easier). The script just need to make a user based on the input from the tech setting up the account. Though, it needs to make all aspects of a new user: long name, password, shortname, home directory, picture, etc., and it needs to copy my settings for applications (i.e. Bluetooth, power management, etc. settings [.plist files]).

It'll need to work on 10.3.x, 10.4.x, 10.5.x

thanks

well here goes an example for 10.3 and 10.4 clients using netinfo command line

Now for Leopard, you need to use the dscl command since netinfo no longer exists, and example would be...

Some of the netinfo command lines from the first example script are older code you may need to check to see if it still works. Also, you can do more advanced scripting that may grep things out of an exported XML sheet or however you input users. Furthermore, you can create a $user field in the script and then leave it blank and just fill in the user's name.

$USER = shortname

$FULLUSER = their full name

Then you only have to fill in those lines, and you could even make it interactive beyond that.

those look good, thanks

a prompt of some sort would be effective enough to "punch in" the user shortname and full name or just arrugments
now for the UID and GroupID, could those to just be automatically created to fall in sequence with what already there?

Are you running OS X server with an Open Directory?

i have an OS server 10.4 available, but unfortunately "we" have a Novell LDAP environment. Though, it's just getting going and is Windoze-based primarily. Novell and Mac don't get along together extremely well, not all Novell products work 100% as there PC counterparts.

So, each machine is authenticating locally? Or have you set up a "golden triangle" type of authentication that ties into your eDirectory? I am somewhat familar with Novell, we run it here and at my last job. I have to deal with Groupwise all the time

yeah, the machine just login locally. My networking guys and I haven't even started on trying to get Macs to login to eDir. I'm not sure it could be done, may be one day... But, just when I create user on the Macs, I have particular settings that I would like to apply to every user that get created.

It can be done, I've done it before. It requires a lot of steps via console one and your netware servers, and then on the client side as well. I haven't really messed with eDirectory at all in the last year almost since my new job is completely mac ODM network.

Ok, since each machine logs in locally, you'll have to run the script on that machine locally. If you have ARD admin, you can use the send unix command option from the software to send the script.

Netinfo should generate the next open UID, so you can leave that blank, or you can set up UID for each user. Are these users, class room based, or personal logs ins? Back when I had to manage macs that authenticated locally, I made accounts like, hour 1, hour 2, so on and so forth and did not use individual log ins. Then set the permissions accordingly to what that class needed during that hour. Even though they were all pretty much the same thing.

How exactly is yours set up?

it's just individual logins. I don't have ARD, though I wish I could have it, but we don't have the numbers to get it for the amount of users total (not justifiable).

ick, no ARD admin? I am sorry but that is a needed tool for managing Macs remotely in any managed environment.

Ok, are they running static IPs?

You are creating individual log ins for each user? I mean you can ssh as that local admin account from your machine and run the script that way.

How many macs are we talking about here you are managing?

Is this a corporate environment or educational?

--No
--The script would be incorporated into an image that techs use
--we only have like 400 Macs
--educational, Georgia Southern University

OK, well for that many Macs I don't see how you can justify not having ARD admin. The script will not be hard to write, however to embed it in the image and make it work for your techs could be a whole other can of worms.

Also if everything is local, why even create multi user environments? It is not like you are backing up home directories or mapping drives. Why complicate it with individual user accounts when you can just use one generic managed and one admin account? Do, you need to have the accounts as individual for each user, like is there a reason behind it?

My fellow tech are no stranger to running some sort of script. In our windows images, we have batch file that makes a new user (it just simply adds a user, that's all). So, as long as could run like that:

in windows @ DOS prompt--> newuser.bat username [enter]

that's all

I do currently have my image setup with an admin and "user" profile. I have everything just the way I want it in the "user" account. Then the techs use ChangeShortName app to change "user" to what the end user is going to be. But, in some cases, the Mac is used by several users (not often, may be like a handful) and to keep all the user accounts the same...
I figured a script would help, and that way it would be easy to keep track of particular settings and so on.

Well, it is different since the windows clients are bound to the directory and can most likely connect to it and pull information from it, and they don't even need local accounts since they are authenticating via eDirectory and LDAP.

Here is the conundrum you lie in. 1) Creating users requires admin rights, so either you must run a script and manually input the user fields (or make it interactive like the windows one), or remote in as admin and run the script to add new users. 2) you can't change the short name once it is created, that is a no no with OS X. So, you must create the short name while creating the user. 3) You would have to manually input all user account information into each script manually, which to me is a waste of man hours which could be applied towards something that is more important.

So, if there is a great reason why you must have individual log ins, then yeah you can go down that route. If there is no great reason, I just have one local admin account and one local managed user account and leave it be. If you aren't authenticating against some sort of directory service, aren't mapping network drives, aren't pushing out policy I don't see any reason to have a multi user environment. Are you even managing the data the users put on the macs? It just seems like a lot of extra work for no pay off.

If they won't even buy you ARD admin, which well, universities have way more budget than K-12 and I got ARD admin with out a question, I know they can afford to buy you a license. It is simply a need and a must, there is no way around it.

I understand what you want to accomplish but I fail to see where it is going to be of value or beneficial to you or your users. It seems like you want to build a table but do so with out a hammer or a saw, which are required tools to build a table.

What exactly is the higher goal here?

basically i'm just trying to have script that when a tech logs-in the will click on the script, punch in the necessary info. (fullname, shortname)

then that's it..user(s) created with all the necessary settings...done

OK, I can point you in the right direction, but I still fail to see what the higher goal is here from having all these local user accounts? If a HD fails, all that info is lost anyway, and if you are not doing anything over the network it just seems like wasted time.

How are you imaging the machines? Netrestore?

i see what you are getting at...but everything has to be done in baby steps on this campus...it's frustrating, even to me...there are so many things that we should be able to do to help support end-users, but it's the education/gov't...it takes forever to get anything done.

Any hoo...

I use a combo of methods depending on the situation...
Lab-netrestore
fac/staff-bootable firewire drive

Agreed with tlarkin here, man. If you have to manage 400 machines, you need ARD. It's just not a choice.

Go bug your procurement department. :)

I've worked in government education for the past 4 years, so yeah I completely sympathize and understand. Here is what I do not get. You set up hundreds and hundreds of local user accounts for each individual student, however, you are not mapping drives, storing network home directories. authenticating against a Directory Service, and all of this extra work for what?

On the IT/Administration side it would be in your benefit to KISS (keep it simple stupid) by just creating one managed account for all students and one admin account for local administration. That way you aren't dealing with hundreds of extra local user accounts, which would be a nightmare to manage, you aren't having to worry about their individual home directories, and I assume they are saving all personal data on thumb drives or what not, so you aren't having to manage their data either.

I used to be in the same boat as you at my old job. 10,000 computers to support with about a 3% to 4% mac population. All managed locally. I set up a file server for students to store data on, then created one admin and one managed user account on each machine. I would then use ARD admin to push out any post scripts or post config after imaging.

At my new job I manage around 6,000 macs, so its a bit different on how we manage them, but if I were you, I would not bother with setting up individual local user accounts.

Now the tricky part for you is that you'll need 3 scripts. 1 for 10.3 1 for 10.4 and 1 for 10.5. I would simply place the script on the local admin accounts desktop for that image, so when a tech reimages it they can run the script from there. You can set it up to be interactive as well, and if you need help with that I can try to help though I am not an expert scripter. I'm in between expert and novice. Though, I have made interactive scripts before.

I'd really like to have ARD, but I don't manage all 400 Macs by myself. They're are just shy of 400 Macs across the campus. Then they are spread out between all the departments, and we specific techs assigned to each dept. So...not one tech is assigned to manage all the Macs on campus. I'm not a full Mac expert, I know more then all the other Techs, but i consider myself almost intermediate. I'm still very much learning how much you can..and can't do...with Macs. Plus, in an academic environment people have academic freedom...and that causes all kind of issues...
Until, my IT dept get some "balls" and money to do things like that...I'm forced right now to manage locally.

Now the scripts don't have to be extremely fancy. But like I stated before...it just need to the tech to add the fullname and shortname...and the rest is done by the script.

400 macs? That's a lot of headaches.

well, I am not quite sure how to make it interactive and take my inputted text. I know how to make a menu based script to run commands but I don't quite know how to code it so you can input text.

I have a less effecient solution though of just using variables, so the script will need to be modified each time you use it, but you would only need to modify two fields with short name and long name, so it wouldn't be a huge deal.

Just fill in the blanks to make it do what you want to do. If someone can make those variables interactive it would make it even sweeter, I am just not quite sure how to do it. I was looking at example interactive scripts and trying to look at the coding, but decided I will have to tinker with it more before I try to do something like that.

well I was looking into it, and you could try adding code like this

example
then you could use double semi colon ;; to separate each command in the script to modify each variable and then as a last command have it execute the full path of the script.

Of course, I am a noob in some ways when it comes to advanced scripting.

I've put in a request to have ARD order...now..I wait.

Would I just make .command file to put this commands in? I know in Linux you can make a .sh file.

Educational? You probably won't ever have ARD to work with.

I don't think putting a request for ARD is ever going to happen. You might be waiting years.

you're probably right, but i have to try...

maybe maybe not. might depend on which departments are more important to them, and if they feel like shelling them money on out for ARD

ah, you gotta work the system. if you just send in paper (or worse, electronic) requests, they will disappear down the rabbit hole. you have to do a little investigation, find out where the tech managers live, and then make the request in person. play desperate, worried, and confused, and they will buy you ARD just to get you out of their offices. :D

requesting at least puts it on the table and for 400 macs, you know you can start centralizing administration to them via ARD.

Also, ARD, has a built in feature that will just send a unix command, so you can send the script to each machine and then execute a command to run it. Done.

Haha. One way of putting it. But the University in which he has stated he works. I don't think they'll do anything for him. Just gotta know the right people to talk to to get anything done at colleges.

hey, I work in a university. bureaucracies are the same everywhere. ;)

just pick someone and make them feel accountable, and they will jump through hoops to escape the burden.

Oh Boy, this topic has gotten off track...

I find that really odd. I work in public education, K-12 and I generally get what I ask for. Well, they haven't given me my 6 new xserves I requested, but they are giving me a brand new spanking top of the line xserve for my JSS that I requested.

I got ARD admin, several licenses for several different applications. I got copies of OS X server, all that I would want. I got a macbook pro per request. I mean it can be done and it just goes to show how serious you are with what you want to accomplish.

Then again in retrospect I manage over 5500 to 6000 macs district wide. So, the justification may be better in my situation. However, I would think that University level networks would have access to more money and resources than public K-12

If we were talking about a big named college. I can see getting what one wanted happening, but the university hes speaking of, is not that great.

Two things, the dscl scripts work very well in bash and I run them from ARD. Usually, I run them with the systems on the log in screen, ARD can run as root, and the login gives me console access.

Since I run a small group of iMacs that get repurposed several times a year, 3 times this summer, I depend on ARD. If I had to touch every one of our 300 systems each time I would have spent the $300 license fee many times over in the last two months. I am getting another license with Task Manager enabled in the Fall!

wow old post...

After running a 1:1 for 3 years now (starting my 4th) and using Casper. Nothing compares to the power tools Casper provides to manage computers, deploy software, mass image, etc.

ARD Admin and task manager cannot even hold a stick.