Middlebury

Difference between revisions of "Advanced Mac Configuration Topics"

m
(Reorganization - please let me know if you preferred the flat format!)
Line 1: Line 1:
<br>
+
== System, disks, users ==
  
== Reimage a mac from an image using the command line asr ==
+
==== Refresh disk arbitration ====
<pre>sudo asr restore --source /Volumes/Source/Image.dmg --target /Volumes/Destination --erase --noverify</pre>
 
Note: This '''ERASES''' the destination drive. It also skips verification (which Disk Utility forces you to do, thus adding 10-15 minutes to the imaging process). Verification is GOOD, but sometimes, when you're sure that the image is healthy and your destination drive is healthy, it can be a waste of time.
 
  
== Refresh disk arbitration  ==
+
Note: This may force disks that haven't mounted to mount.
 +
<pre>disktool -r
 +
</pre>
  
Note: This may force disks that haven't mounted to mount.  
+
==== Enable Journaling  ====
<pre>disktool -r
+
 
</pre>  
+
<pre>diskutil enableJournal /</pre>
== Pushing Adobe CS via ARD  ==
+
 
 +
==== Matching Mac Model Name with Model Identifier, Mac OS X Build, production date, and Apple Hardware Test version ====
 +
 
 +
#Get Model IDENTIFIER from System profiler (it will look like Model Identifier: MacBookPro2,2)
 +
#Visit http://mactracker.dreamhosters.com/iphone/#_modelWindow and find the model with that identifier
 +
#Done
 +
 
 +
More useful resources:
 +
 
 +
*http://support.apple.com/kb/HT1159
 +
*http://www.chipmunk.nl/cgi-fast/applemodel.cgi
 +
*http://www.apple.com/support/
 +
*http://www.apple.com/support/serviceassistant/
 +
*http://mactracker.dreamhosters.com/iphone/#_modelWindow
 +
 
 +
==== Programatically Delete Cached User Accounts ====
 +
 
 +
From http://developer.apple.com/releasenotes/MacOSXServer/RN-DirectoryServices/index.html
 +
<pre># Script to remove cached accounts in the local DS node
 +
# This should work in both Tiger and Leopard
 +
# Run this script as root or with sudo
 +
#!/bin/sh
 +
 
 +
# dscl searching only does exact matches.  So we list the records and pipe them through to grep to find the list of records we want.  The first column will be the username and we get that using awk.
 +
# We also remove the line endings with tr to make it one long string.
 +
 
 +
for cuser in `dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '\n' ' '`; do
 +
dscl . -delete /Users/$cuser                    # now we delete the record using dscl
 +
done
 +
</pre>
 +
More resources: http://www.macosxhints.com/article.php?story=20080127172157404 <br> http://www.google.com/search?client=safari&amp;rls=en-us&amp;q=leopard+script+delete+user+account+dscl&amp;ie=UTF-8&amp;oe=UTF-8
 +
 
 +
==== Enabling Directory Service debug logging ====
 +
<pre>
 +
sudo touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart
 +
sudo sudo killall -USR1 DirectoryService
 +
</pre>
 +
 
 +
==== Disabling Directory Service debug logging ====
 +
<pre>
 +
sudo rm /Library/Preferences/DirectoryService/.DSLogDebugAtStart
 +
sudo sudo killall -USR1 DirectoryService
 +
</pre>
 +
 
 +
==== Resetting Directory Service Settings ====
 +
 
 +
I was having trouble logging in with my AD account to some iMacs added to our AD. In fact, not a single AD account was able to login. Directory Utility claimed it can't see the domain controller (which it could, since it was online, in the same subnet as other identical computers, it could ping the domain and packets were sent back and forth between it and the domain, without loss). Unbinding it didn't work, but it offered to force the ubind, which I did. Then I was unable to bind it back (updated to 10.5.6 rebooted, still not binding). The error I kept getting was invalid username and password (after entering the domain username and password that we use for binding). Using the same username and password worked on other computers (either brand new, or existing computers that I unbound, then bound back with no issues -- again same subnet, same image). I deleted the computer accounts from the domain, but the problem persisted. Finally, I used fseventer to see what's being access during the bind process. The system threw the error message not after communicating with the domain, but after checking the plists in /Library/Preferences/DirectoryService and /var/db/dslocal/nodes/Default/config  -- so I deleted these two folders and was able to bind back with no issues!
 +
<pre>
 +
sudo rm -rdfv /Library/Preferences/DirectoryService
 +
sudo rm -rdfv /var/db/dslocal/nodes/Default/config
 +
sudo sudo killall -USR1 DirectoryService
 +
</pre>
 +
 
 +
 
 +
 
 +
== ARD techniques ==
 +
 
 +
==== Desirable ARD commands ====
 +
*Set disk permissions. Ignore permissions.
 +
*Add ACLS for folders
 +
*Run login permission script
 +
*unbind/rename/rebind/rescan/apply proper admin privs.
 +
*login items fix
  
'''Note: This assumes you've created a disk image with the applications (from /Applications), and a disk image with the settings (in /Library/Application Support, as well as /Library/Preferences).'''  
+
==== Pushing Adobe CS via ARD  ====
 +
'''Note: This assumes you've created a disk image with the applications (from /Applications), and a disk image with the settings (in /Library/Application Support, as well as /Library/Preferences).'''
 
<pre>hdiutil attach /adobepro.dmg
 
<pre>hdiutil attach /adobepro.dmg
 
ditto -V /Volumes/adobepro /Applications
 
ditto -V /Volumes/adobepro /Applications
Line 22: Line 85:
 
hdiutil detach /Volumes/settings
 
hdiutil detach /Volumes/settings
 
rm -rdfv /settings.dmg
 
rm -rdfv /settings.dmg
</pre>  
+
</pre>
== Mute or set volume via ARD  ==
+
 
 +
==== Mute or set volume via ARD  ====
 
<pre>osascript -e "set volume 0"
 
<pre>osascript -e "set volume 0"
</pre>  
+
</pre>
Change the zero to another number to set the volume to a higher value. Zero is mute. This seems to be system wide. It also mutes the startup chime. Good for classrooms. If headphones are plugged in, they have a separate volume setting.  
+
Change the zero to another number to set the volume to a higher value. Zero is mute. This seems to be system wide. It also mutes the startup chime. Good for classrooms. If headphones are plugged in, they have a separate volume setting.
  
== Make Macs Speak via ARD  ==
+
==== Make Macs Speak via ARD  ====
 
<pre>say "I hate Macs"
 
<pre>say "I hate Macs"
</pre>  
+
</pre>
== Set the Open Firmware password via ARD  ==
 
 
 
'''Note: You need our Open Firmware package for this! It should be on our Mac server.'''
 
<pre>sudo ofpassword set blahblah123</pre>
 
== Connect to an AFP server from the command line  ==
 
<pre>sudo mkdir /Volumes/myserver
 
sudo mount_afp afp://username:password@servername/sharename /Volumes/myserver
 
</pre>
 
== Run an ASR server  ==
 
 
 
GUI: Protonpack
 
<pre>sudo asr -source /Volumes/Images/image.dmg -server /path/to/config.plist
 
</pre>
 
== Restore a client from an ASR server  ==
 
 
 
GUI: NetRestore
 
<pre>sudo asr -source asr://serverip -targer /Volumes/Volume -erase -noverify
 
</pre>
 
== Enable ARD remotely  ==
 
 
 
e.g. via SSH
 
<pre>sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -users admin -privs -all
 
</pre>
 
If nothing's been enabled, the full line should look like: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu
 
  
== Enable SSH via ARD  ==
+
==== Set the Open Firmware password via ARD  ====
 +
'''Note: You need our Open Firmware package for this! It should be on our Mac server.'''
 +
<pre>sudo ofpassword set blahblah123</pre>
  
This seems to work:  
+
==== Enable SSH via ARD  ====
<pre>systemsetup -setremotelogin on</pre>  
+
This seems to work:
Some other ideas:  
+
<pre>systemsetup -setremotelogin on</pre>
 +
Some other ideas:
 
<pre>echo yes | /System/Library/CoreServices/RemoteManagment/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on
 
<pre>echo yes | /System/Library/CoreServices/RemoteManagment/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on
 
/sbin/service ssh start
 
/sbin/service ssh start
 
echo "AdminsPassHere" | sudo service ssh start
 
echo "AdminsPassHere" | sudo service ssh start
</pre>  
+
</pre>
This seems to work until reboot:  
+
This seems to work until reboot:
<pre>/usr/sbin/sshd</pre>  
+
<pre>/usr/sbin/sshd</pre>
== Update Symantec AntiVirus ==
+
 
<pre>LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES
+
==== Enable ARD remotely ====
</pre>  
+
e.g. via SSH
LiveUpdate tends to be in the root library support folder: /Library/Application\ Support/Norton\ Solutions\ Support/LiveUpdate/LiveUpdate.app/Contents/MacOS/LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES
+
<pre>sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -users admin -privs -all
 +
</pre>
 +
If nothing's been enabled, the full line should look like: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu
  
== Enable Journaling ==
+
==== Mount AFP volume via applescript via ARD ====
<pre>diskutil enableJournal /</pre>  
+
<pre>osascript -e 'mount volume "afp://user:password@computername/Macintosh HD"'</pre>
== Printers: Install, delete, set as default  ==
 
  
'''List installed printers'''
+
==== Check if a process is running via ARD  ====
<pre>lpstat -p
+
E.g. Check if AFP server is running
</pre>  
+
<pre>ps -axww | grep -i "AppleFileServer"</pre>
'''Install'''
 
<pre>lpadmin -p printer_name -E -v lpd://server/printer -P path-to-ppd.gz</pre>  
 
*An example with a compressed ppd:
 
  
lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.gz
+
==== Start AFP sharing remotely  ====
 +
#Change /etc/hostconfig so that AFPSERVER=-YES=
 +
#Send unix script <pre>sudo AppleFileServer</pre> TWICE
  
*Or an uncompressed ppd:
+
==== Get folder size via ARD  ====
 +
<pre>du -d 1 -h /Users/Shared/editingclass</pre>
  
lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.ppd
 
  
'''Must be followed by'''
 
<pre>cupsenable printer_name</pre>
 
'''Delete'''
 
<pre>lpadmin -x printer_name</pre>
 
e.g.:
 
<pre>lpadmin -x AdobePDF7</pre>
 
'''Set as default'''
 
<pre>lpadmin -d printer_name</pre>
 
'''Install but disable sharing and add description'''
 
<pre>lpadmin -p printer_name -E -v lpd://server/printer -D "Room AB123" -P ppdpath -o printer-is-shared=false</pre>
 
=== Enabling Duplexing  ===
 
  
On HP printers this should suffice:
+
== Application tips ==
<pre>lpadmin -p prntr -E -v lpd://srv/prnt -D "rmnr" -P "ppdpath" -o "HPOption_Duplexer=True" -o Duplex=DuplexNoTumble</pre>
 
On other models you can try listing the available printer options, then pass the appropriate option to lpadmin using the "-o" parameter. To list all available printer options, install the printer on any one workstation and then run:
 
<pre>lpoptions -p printer_name -l</pre>
 
For an HP laserjet the above command gives two options related to duplexing: '''HPOption_Duplexer''' and '''Duplex''' -- so those are the parameters passed using "-o" in the example above.
 
  
== Get MAC Address  ==
+
==== Reset Spotlight  ====
<pre>/sbin/ifconfig en0 | grep ether | cut -d' ' -f 2</pre>
+
<pre>sudo mdutil -i off /
== Set computer name  ==
+
sudo mdutil -E /
<pre>sudo scutil --set LocalHostName NEWCOMPUTERNAME
+
sudo mdutil -i on /
sudo scutil --set ComputerName NEWCOMPUTERNAME
+
</pre>
</pre>  
 
== Desirable ARD commands  ==
 
  
*Set disk permissions. Ignore permissions.
+
==== Update Symantec AntiVirus  ====
*Add ACLS for folders
+
<pre>LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES
*Run login permission script
+
</pre>
*unbind/rename/rebind/rescan/apply proper admin privs.  
+
LiveUpdate tends to be in the root library support folder: /Library/Application\ Support/Norton\ Solutions\ Support/LiveUpdate/LiveUpdate.app/Contents/MacOS/LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES
*login items fix
 
  
== Check when an application was last opened  ==
+
==== Check when an application was last opened  ====
<pre>mdls -name kMDItemLastUsedDate /Application/Application.app</pre>  
+
<pre>mdls -name kMDItemLastUsedDate /Application/Application.app</pre>
Check an entire folder:  
+
Check an entire folder:
<pre>mdls -name kMDItemLastUsedDate /Application/*</pre>  
+
<pre>mdls -name kMDItemLastUsedDate /Application/*</pre>
Filter applications from an entire folder:  
+
Filter applications from an entire folder:
 
<pre>mdls /Applications/Adobe\ Photoshop\ CS/* | egrep '(kMDItemLastUsedDate|kMDItemDisplayName)' \
 
<pre>mdls /Applications/Adobe\ Photoshop\ CS/* | egrep '(kMDItemLastUsedDate|kMDItemDisplayName)' \
| egrep '(kMDItemLastUsedDate)|(app)'</pre>  
+
| egrep '(kMDItemLastUsedDate)|(app)'</pre>
Batch checking  
+
Batch checking
 
<pre>mdls "/Applications/Macromedia Dreamweaver MX 2004/Dreamweaver MX 2004" \
 
<pre>mdls "/Applications/Macromedia Dreamweaver MX 2004/Dreamweaver MX 2004" \
 
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
 
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
Line 146: Line 171:
 
| egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
 
| egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
  
</pre>  
+
</pre>
== Matching the Mac Model Name with the Model Identifier with the Mac OS X Build with the production date and with the Apple Hardware Test version ==
+
 
 +
 
 +
 
 +
== Network & Printers ==
 +
 
 +
==== Get MAC Address ====
 +
<pre>/sbin/ifconfig en0 | grep ether | cut -d' ' -f 2</pre>
 +
 
 +
==== Set computer name  ====
 +
<pre>sudo scutil --set LocalHostName NEWCOMPUTERNAME
 +
sudo scutil --set ComputerName NEWCOMPUTERNAME
 +
</pre>
  
#Get Model IDENTIFIER from System profiler (it will look like Model Identifier: MacBookPro2,2)
+
==== Printers: Install, delete, set as default  ====
#Visit http://mactracker.dreamhosters.com/iphone/#_modelWindow and find the model with that identifier
 
#Done
 
  
More useful resources:  
+
'''List installed printers'''
 +
<pre>lpstat -p
 +
</pre>
 +
'''Install'''
 +
<pre>lpadmin -p printer_name -E -v lpd://server/printer -P path-to-ppd.gz</pre>
 +
*An example with a compressed ppd:
  
*http://support.apple.com/kb/HT1159
+
lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.gz
*http://www.chipmunk.nl/cgi-fast/applemodel.cgi
 
*http://www.apple.com/support/
 
*http://www.apple.com/support/serviceassistant/  
 
*http://mactracker.dreamhosters.com/iphone/#_modelWindow
 
  
== Manipulating and modifying ACL permissions from the command line terminal  ==
+
*Or an uncompressed ppd:
  
Read ACL
+
lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.ppd
<pre>ls -le /path/to/dir</pre>
 
Write ACL
 
<pre>chmod -R +a "group:admin allow read write delete" /path/to/dir</pre>
 
Delete ACL
 
<pre>chmod -R -a# 0 /path/to/dir</pre>
 
== Get folder size via ARD  ==
 
<pre>du -d 1 -h /Users/Shared/editingclass</pre>
 
== Mount AFP volume via applescript via ARD  ==
 
<pre>osascript -e 'mount volume "afp://user:password@computername/Macintosh HD"'</pre>
 
== Check if a process is running via ARD  ==
 
  
E.g. Check if AFP server is running
+
'''Must be followed by'''
<pre>ps -axww | grep -i "AppleFileServer"</pre>  
+
<pre>cupsenable printer_name</pre>
== Start AFP sharing remotely  ==
+
'''Delete'''
 +
<pre>lpadmin -x printer_name</pre>
 +
e.g.:
 +
<pre>lpadmin -x AdobePDF7</pre>
 +
'''Set as default'''
 +
<pre>lpadmin -d printer_name</pre>
 +
'''Install but disable sharing and add description'''
 +
<pre>lpadmin -p printer_name -E -v lpd://server/printer -D "Room AB123" -P ppdpath -o printer-is-shared=false</pre>
  
#Change /etc/hostconfig so that AFPSERVER=-YES=  
+
==== Enabling Duplexing  ====
#Send unix script <pre>sudo AppleFileServer</pre> TWICE
 
  
== Reset Spotlight  ==
+
On HP printers this should suffice:
<pre>sudo mdutil -i off /
+
<pre>lpadmin -p prntr -E -v lpd://srv/prnt -D "rmnr" -P "ppdpath" -o "HPOption_Duplexer=True" -o Duplex=DuplexNoTumble</pre>
sudo mdutil -E /
+
On other models you can try listing the available printer options, then pass the appropriate option to lpadmin using the "-o" parameter. To list all available printer options, install the printer on any one workstation and then run:
sudo mdutil -i on /
+
<pre>lpoptions -p printer_name -l</pre>
</pre>  
+
For an HP laserjet the above command gives two options related to duplexing: '''HPOption_Duplexer''' and '''Duplex''' -- so those are the parameters passed using "-o" in the example above.
== Programatically Delete Cached User Accounts ==
 
  
From http://developer.apple.com/releasenotes/MacOSXServer/RN-DirectoryServices/index.html
 
<pre># Script to remove cached accounts in the local DS node
 
# This should work in both Tiger and Leopard
 
# Run this script as root or with sudo
 
#!/bin/sh
 
  
# dscl searching only does exact matches.  So we list the records and pipe them through to grep to find the list of records we want.  The first column will be the username and we get that using awk.
 
# We also remove the line endings with tr to make it one long string.
 
  
for cuser in `dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '\n' ' '`; do
+
==Misc==
dscl . -delete /Users/$cuser                    # now we delete the record using dscl
 
done
 
</pre>
 
More resources: http://www.macosxhints.com/article.php?story=20080127172157404 <br> http://www.google.com/search?client=safari&amp;rls=en-us&amp;q=leopard+script+delete+user+account+dscl&amp;ie=UTF-8&amp;oe=UTF-8
 
  
==Enabling Directory Service debug logging==
+
==== Connect to an AFP server from the command line  ====
<pre>
+
<pre>sudo mkdir /Volumes/myserver
sudo touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart
+
sudo mount_afp afp://username:password@servername/sharename /Volumes/myserver
sudo sudo killall -USR1 DirectoryService
 
 
</pre>
 
</pre>
===Disabling Directory Service debug logging===
+
 
<pre>
+
==== Reimage a mac from an image using the command line asr ====
sudo rm /Library/Preferences/DirectoryService/.DSLogDebugAtStart
+
 
sudo sudo killall -USR1 DirectoryService
+
<pre>sudo asr restore --source /Volumes/Source/Image.dmg --target /Volumes/Destination --erase --noverify</pre>
 +
Note: This '''ERASES''' the destination drive. It also skips verification (which Disk Utility forces you to do, thus adding 10-15 minutes to the imaging process). Verification is GOOD, but sometimes, when you're sure that the image is healthy and your destination drive is healthy, it can be a waste of time.
 +
 
 +
==== Manipulating and modifying ACL permissions from the command line terminal ====
 +
 
 +
Read ACL
 +
<pre>ls -le /path/to/dir</pre>
 +
Write ACL
 +
<pre>chmod -R +a "group:admin allow read write delete" /path/to/dir</pre>
 +
Delete ACL
 +
<pre>chmod -R -a# 0 /path/to/dir</pre>
 +
 
 +
==== Run an ASR server  ====
 +
 
 +
GUI: Protonpack
 +
<pre>sudo asr -source /Volumes/Images/image.dmg -server /path/to/config.plist
 
</pre>
 
</pre>
  
==Resetting Directory Service Settings==
+
==== Restore a client from an ASR server ====
I was having trouble logging in with my AD account to some iMacs added to our AD. In fact, not a single AD account was able to login. Directory Utility claimed it can't see the domain controller (which it could, since it was online, in the same subnet as other identical computers, it could ping the domain and packets were sent back and forth between it and the domain, without loss). Unbinding it didn't work, but it offered to force the ubind, which I did. Then I was unable to bind it back (updated to 10.5.6 rebooted, still not binding). The error I kept getting was invalid username and password (after entering the domain username and password that we use for binding). Using the same username and password worked on other computers (either brand new, or existing computers that I unbound, then bound back with no issues -- again same subnet, same image). I deleted the computer accounts from the domain, but the problem persisted. Finally, I used fseventer to see what's being access during the bind process. The system threw the error message not after communicating with the domain, but after checking the plists in /Library/Preferences/DirectoryService and /var/db/dslocal/nodes/Default/config  -- so I deleted these two folders and was able to bind back with no issues!
+
 
<pre>
+
GUI: NetRestore
sudo rm -rdfv /Library/Preferences/DirectoryService
+
<pre>sudo asr -source asr://serverip -targer /Volumes/Volume -erase -noverify
sudo rm -rdfv /var/db/dslocal/nodes/Default/config
 
sudo sudo killall -USR1 DirectoryService
 
 
</pre>
 
</pre>
 
[[Category:Software_Distribution]] [[Category:Advanced_Topics]]
 

Revision as of 15:05, 28 January 2009

System, disks, users

Refresh disk arbitration

Note: This may force disks that haven't mounted to mount.

disktool -r

Enable Journaling

diskutil enableJournal /

Matching Mac Model Name with Model Identifier, Mac OS X Build, production date, and Apple Hardware Test version

  1. Get Model IDENTIFIER from System profiler (it will look like Model Identifier: MacBookPro2,2)
  2. Visit http://mactracker.dreamhosters.com/iphone/#_modelWindow and find the model with that identifier
  3. Done

More useful resources:

Programatically Delete Cached User Accounts

From http://developer.apple.com/releasenotes/MacOSXServer/RN-DirectoryServices/index.html

# Script to remove cached accounts in the local DS node
# This should work in both Tiger and Leopard
# Run this script as root or with sudo
#!/bin/sh

# dscl searching only does exact matches.  So we list the records and pipe them through to grep to find the list of records we want.  The first column will be the username and we get that using awk.
# We also remove the line endings with tr to make it one long string.

for cuser in `dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '\n' ' '`; do
dscl . -delete /Users/$cuser                    # now we delete the record using dscl
done

More resources: http://www.macosxhints.com/article.php?story=20080127172157404
http://www.google.com/search?client=safari&rls=en-us&q=leopard+script+delete+user+account+dscl&ie=UTF-8&oe=UTF-8

Enabling Directory Service debug logging

sudo touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudo sudo killall -USR1 DirectoryService

Disabling Directory Service debug logging

sudo rm /Library/Preferences/DirectoryService/.DSLogDebugAtStart
sudo sudo killall -USR1 DirectoryService

Resetting Directory Service Settings

I was having trouble logging in with my AD account to some iMacs added to our AD. In fact, not a single AD account was able to login. Directory Utility claimed it can't see the domain controller (which it could, since it was online, in the same subnet as other identical computers, it could ping the domain and packets were sent back and forth between it and the domain, without loss). Unbinding it didn't work, but it offered to force the ubind, which I did. Then I was unable to bind it back (updated to 10.5.6 rebooted, still not binding). The error I kept getting was invalid username and password (after entering the domain username and password that we use for binding). Using the same username and password worked on other computers (either brand new, or existing computers that I unbound, then bound back with no issues -- again same subnet, same image). I deleted the computer accounts from the domain, but the problem persisted. Finally, I used fseventer to see what's being access during the bind process. The system threw the error message not after communicating with the domain, but after checking the plists in /Library/Preferences/DirectoryService and /var/db/dslocal/nodes/Default/config -- so I deleted these two folders and was able to bind back with no issues!

sudo rm -rdfv /Library/Preferences/DirectoryService
sudo rm -rdfv /var/db/dslocal/nodes/Default/config
sudo sudo killall -USR1 DirectoryService


ARD techniques

Desirable ARD commands

  • Set disk permissions. Ignore permissions.
  • Add ACLS for folders
  • Run login permission script
  • unbind/rename/rebind/rescan/apply proper admin privs.
  • login items fix

Pushing Adobe CS via ARD

Note: This assumes you've created a disk image with the applications (from /Applications), and a disk image with the settings (in /Library/Application Support, as well as /Library/Preferences).

hdiutil attach /adobepro.dmg
ditto -V /Volumes/adobepro /Applications
hdiutil detach /Volumes/adobepro
rm -rdfv /adobepro.dmg

hdiutil attach /settings.dmg
ditto -V /Volumes/settings /Library
hdiutil detach /Volumes/settings
rm -rdfv /settings.dmg

Mute or set volume via ARD

osascript -e "set volume 0"

Change the zero to another number to set the volume to a higher value. Zero is mute. This seems to be system wide. It also mutes the startup chime. Good for classrooms. If headphones are plugged in, they have a separate volume setting.

Make Macs Speak via ARD

say "I hate Macs"

Set the Open Firmware password via ARD

Note: You need our Open Firmware package for this! It should be on our Mac server.

sudo ofpassword set blahblah123

Enable SSH via ARD

This seems to work:

systemsetup -setremotelogin on

Some other ideas:

echo yes | /System/Library/CoreServices/RemoteManagment/ARDAgent.app/Contents/Support/systemsetup -setremotelogin on
/sbin/service ssh start
echo "AdminsPassHere" | sudo service ssh start

This seems to work until reboot:

/usr/sbin/sshd

Enable ARD remotely

e.g. via SSH

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -access -on -users admin -privs -all

If nothing's been enabled, the full line should look like: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu

Mount AFP volume via applescript via ARD

osascript -e 'mount volume "afp://user:password@computername/Macintosh HD"'

Check if a process is running via ARD

E.g. Check if AFP server is running

ps -axww | grep -i "AppleFileServer"

Start AFP sharing remotely

  1. Change /etc/hostconfig so that AFPSERVER=-YES=
  2. Send unix script
    sudo AppleFileServer
    TWICE

Get folder size via ARD

du -d 1 -h /Users/Shared/editingclass


Application tips

Reset Spotlight

sudo mdutil -i off /
sudo mdutil -E /
sudo mdutil -i on /

Update Symantec AntiVirus

LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES

LiveUpdate tends to be in the root library support folder: /Library/Application\ Support/Norton\ Solutions\ Support/LiveUpdate/LiveUpdate.app/Contents/MacOS/LiveUpdate -update LUal -liveupdatequiet YES -liveupdateautoquit YES

Check when an application was last opened

mdls -name kMDItemLastUsedDate /Application/Application.app

Check an entire folder:

mdls -name kMDItemLastUsedDate /Application/*

Filter applications from an entire folder:

mdls /Applications/Adobe\ Photoshop\ CS/* | egrep '(kMDItemLastUsedDate|kMDItemDisplayName)' \
| egrep '(kMDItemLastUsedDate)|(app)'

Batch checking

mdls "/Applications/Macromedia Dreamweaver MX 2004/Dreamweaver MX 2004" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Macromedia Flash MX 2004/Flash MX 2004" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Macromedia Fireworks MX 2004/Fireworks MX 2004" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'

mdls "/Applications/Adobe Photoshop CS/Adobe Photoshop CS.app" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Adobe InDesign CS/InDesign CS.app" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'
mdls "/Applications/Adobe Illustrator CS/Illustrator CS.app" \
| egrep '(kMDItemLastUsedDate|kMDItemDisplayName)'  | egrep '(kMDItemDisplayName|2008-10*|2008-11*)'

mdls "/Applications/GarageBand.app" | egrep '(kMDItemLastUsedDate|kMDItemDisplayName)' \
| egrep '(kMDItemDisplayName|2008-10*|2008-11*)'


Network & Printers

Get MAC Address

/sbin/ifconfig en0 | grep ether | cut -d' ' -f 2

Set computer name

sudo scutil --set LocalHostName NEWCOMPUTERNAME
sudo scutil --set ComputerName NEWCOMPUTERNAME

Printers: Install, delete, set as default

List installed printers

lpstat -p

Install

lpadmin -p printer_name -E -v lpd://server/printer -P path-to-ppd.gz
  • An example with a compressed ppd:

lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.gz

  • Or an uncompressed ppd:

lpadmin -p printer_name -E -v lpd://server/printer -P /Library/Printers/PPDs/Contents/Resources/HP\ LaserJet\ 4050\ Series.ppd

Must be followed by

cupsenable printer_name

Delete

lpadmin -x printer_name

e.g.:

lpadmin -x AdobePDF7

Set as default

lpadmin -d printer_name

Install but disable sharing and add description

lpadmin -p printer_name -E -v lpd://server/printer -D "Room AB123" -P ppdpath -o printer-is-shared=false

Enabling Duplexing

On HP printers this should suffice:

lpadmin -p prntr -E -v lpd://srv/prnt -D "rmnr" -P "ppdpath" -o "HPOption_Duplexer=True" -o Duplex=DuplexNoTumble

On other models you can try listing the available printer options, then pass the appropriate option to lpadmin using the "-o" parameter. To list all available printer options, install the printer on any one workstation and then run:

lpoptions -p printer_name -l

For an HP laserjet the above command gives two options related to duplexing: HPOption_Duplexer and Duplex -- so those are the parameters passed using "-o" in the example above.


Misc

Connect to an AFP server from the command line

sudo mkdir /Volumes/myserver
sudo mount_afp afp://username:password@servername/sharename /Volumes/myserver

Reimage a mac from an image using the command line asr

sudo asr restore --source /Volumes/Source/Image.dmg --target /Volumes/Destination --erase --noverify

Note: This ERASES the destination drive. It also skips verification (which Disk Utility forces you to do, thus adding 10-15 minutes to the imaging process). Verification is GOOD, but sometimes, when you're sure that the image is healthy and your destination drive is healthy, it can be a waste of time.

Manipulating and modifying ACL permissions from the command line terminal

Read ACL

ls -le /path/to/dir

Write ACL

chmod -R +a "group:admin allow read write delete" /path/to/dir

Delete ACL

chmod -R -a# 0 /path/to/dir

Run an ASR server

GUI: Protonpack

sudo asr -source /Volumes/Images/image.dmg -server /path/to/config.plist

Restore a client from an ASR server

GUI: NetRestore

sudo asr -source asr://serverip -targer /Volumes/Volume -erase -noverify
Powered by MediaWiki