Getting AD User Details with NoMAD and Extension Attributes

Although NoMAD is still in it's development/beta stages, it is already proving to be an incredibly handy tool for lots of organizations. Tom Bridge summed it up pretty nicely:
It feels a little silly to be so excited about something so simple as NoMAD, but there’s nothing simple about NoMAD behind the scenes. It’s doing a lot of heavy lifting that you’d usually need binding to accomplish. Preventing the complication of binding simplifies your Mac environment. On the Podcast recently, we spent an hour talking with Joel Rennich about just that.

From the device user's perspective, NoMAD is a menubar utility that shows password expiration and provides handy one-click access to things like Self Service ("Get Software"), a help desk portal or Bomgar session (configurable in the "Get Help" option), and much more.

Settings can be put in place with a robust list of preference keys, and these can be applied with Configuration Profiles. Once the preferences are set and an AD user account has been signed in, details of the account a written to a preference file called com.trusourcelabs.nomad.plist, located in the logged-in user's Preferences.

If you run defaults read com.trusourcelabs.nomad.plist on a computer with NoMAD installed and configured, you'll get some fun details about the account, including some information that will be presented much like the following:

   ADDomain = "";  
   DisplayName = "Jane Doe";  
   GetHelpOptions = "";  
   GetHelpType = URL;  
   Groups =   (  
   KerberosRealm = "YOURCOMPANY.COM";  
   LDAPServerList = "";  
   LastPasswordExpireDate = "2017-01-25 18:34:12 +0000";  
   LastPasswordWarning = 1296000;  
   LastUser = jdoe;  
   LocalPasswordSync = true;  
   LoginItem = 0;  
   RenewTickets = 1;  
   SecondsToRenew = 7200;  
   ShowHome = 0;  
   Template = "";  
   UseKeychain = true;  
   UserAging = 1;  
   UserHome = "";  
   UserPasswordSetDates =   {  
     "jdoe@DOMAIN.YOURCOMPANY.COM" = "2016-10-27 18:34:12 +0000";  
   UserPrincipal = "jdoe@DOMAIN.YOURCOMPANY.COM";  
   UserShortName = jdoe;  
   Verbose = 0;  
   x509CA = "";  

Due to this information being stored in a .plist file, it can be collected in the JSS with extension attributes.

So, for example, if I run defaults read com.trusourcelabs.nomad.plist LocalPasswordSync in the Terminal, I'll get the result of true. Since I get a result, I can throw that into an EA and have it display the result in a computer record in the JSS.

Something that an organization might find useful is an easy way to tell what the password expiration is for an account. For an EA with that information, you can use an EA like the following:

Since the plist is stored in the device user's Library, the EA first gets the logged-on user's name, then it reads the plist stored in the user's library and looks for the LastPasswordExpireDate key and echoes the result. You'll get an entry in the computer record in the JSS that looks something like this:

Using the above EA as a template, you can also grab details like AD Security Group membership, the day the password was last set for a user account, and much more.

This also means that while troubleshooting a machine with NoMAD installed, you can run a simple defaults read command in the Terminal to get more detailed information about the AD user object without using fancy command line tools or whatever else. AD without AD. Lovely.

Did you find this post useful? Leave me a tip!


Post a Comment

Thanks for commenting! Don't forget to follow along on Bloglovin and on Twitter at @emilyooo!