+20People using AD groups for Admin rights know that when you use mobile accounts and leave the network the admin privs do not stick. My question is does anyone have a script that can move this user to the right group?
dseditgroup -o edit -n . -u current_local_admin -p -a $USER admin
I tried this above but was wondering if anyone had a login script?
--
Matt Lee, CCA/ACA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
+20
Thats what I see through the Directory tool.
On Oct 19, 2011, at 11:21 AM, Thomas Larkin wrote:
Yes, but are AD users identified by a certain attribute in directory services? Like could I do something like this?
dscl . list /Users ADgroupMembership
Or something of the like to generate a list of users that are actually AD? Sorry, I don't have an AD set up here, but scripting it would be easy as long as I know the proper way to check AD membership from the command line.
-Tom
+20http://support.apple.com/kb/HT4332
Also found this however I don't want a password prompt. I want to be able to either declare the user and pass or have casper authenticate as it is pushed through login script.
On Oct 19, 2011, at 11:21 AM, Thomas Larkin wrote:
Yes, but are AD users identified by a certain attribute in directory services? Like could I do something like this?
dscl . list /Users ADgroupMembership
Or something of the like to generate a list of users that are actually AD? Sorry, I don't have an AD set up here, but scripting it would be easy as long as I know the proper way to check AD membership from the command line.
-Tom
+31OK with out having AD to test this....this is what I would try:
#!/bin/bash
# promote AD user to local admin group
UserList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')
for u in ${UserList} ; do
/usr/bin/dscl . read /Users/${u} AuthenticationAuthority | /usr/bin/grep "Active Directory"
if [[ $? -eq 0 ]]
then /usr/bin/dscl . append /Groups/admin GroupMemberhip ${u}
else /bin/echo "${u} is not an AD member..."
fi done exit 0
Please test this
+31Do you want to make all AD users admin, or only people in the AD admin group?
Can you give me an example of how dscl reads AD group membership, since I don't run AD?
-Tom
+20Just the AD users. What I would do is make a smart group based on who is an AD Admin if thats possible.
+31Yes, but are AD users identified by a certain attribute in directory services? Like could I do something like this?
dscl . list /Users ADgroupMembership
Or something of the like to generate a list of users that are actually AD? Sorry, I don't have an AD set up here, but scripting it would be easy as long as I know the proper way to check AD membership from the command line.
-Tom
+31run the same script but modify the dscl append line with this
dscl . delete /Groups/admin GroupMembership ${u}
be careful and test this before putting it in production. This is
maybe where dseditgroup may be better since a typo here can delete a
whole group. I don't use dseditgroup all that much but perhaps if
deleting group membership it may be the better path since if you mess up
my previous code it can possibly do more damage to the system.
something like:
dseditgroup -o edit -q /Local/Default -d -a username -t user -admin
Not sure if that syntax is any good
+20Awesome.
I am writing an extension attribute to enable and revoke this. Once its all vetted out ill share it for anyone interested.
+19That's working for you, right matt?
I'm getting:
<main> attribute status: eDSPermissionError
<dscl_cmd> DS Error: -14120 (eDSPermissionError)
nick
--
Nick Kalister
Desktop Engineering
Hitachi Data Systems
Office: 408.970.4316
750 Central Expressway
Building 32 : M/S 3240
Santa Clara, CA 95050
+17Another way if doing it is;
Add your users to AD group then use default command to populate AD Domain admins.
There is a script in resources kit that uses the Default command to do this.
Cem
Sent from my iPhone
On 20 Oct 2011, at 07:55 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:
Login Script correct?
On Oct 20, 2011, at 11:53 AM, Thomas Larkin wrote:
taking a note from Cem I whipped this up, please test and post on the script repository if it works
#!/bin/bash
# add user to the local admin group if their account is an AD account
# run as a login hook via casper, $3 will retrun the current user
# see if the user has Active Directory present as their authentication authority
/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"
# now check results of command and apply group membership accordingly
if [[ $? == 0 ]] ; do
then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."
fi
done
# now check group membership of user and notify them of any changes
if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]
then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"
fi
exit 0
+20I'm not sure what you mean by that.
We already use the Apple Binding tool to tell us which AD groups are for admin users the issue is once you unplug from the network they become non-admins.
On Oct 20, 2011, at 12:32 PM, Baykara, Cem wrote:
Another way if doing it is;
Add your users to AD group then use default command to populate AD Domain admins.
There is a script in resources kit that uses the Default command to do this.
Cem
Sent from my iPhone
On 20 Oct 2011, at 07:55 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:
Login Script correct?
On Oct 20, 2011, at 11:53 AM, Thomas Larkin wrote:
taking a note from Cem I whipped this up, please test and post on the script repository if it works
#!/bin/bash
# add user to the local admin group if their account is an AD account
# run as a login hook via casper, $3 will retrun the current user
# see if the user has Active Directory present as their authentication authority
/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"
# now check results of command and apply group membership accordingly
if [[ $? == 0 ]] ; do
then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."
fi
done
# now check group membership of user and notify them of any changes
if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]
then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"
fi
exit 0
+31Sometimes I wish I had AD here to test this stuff...but then I would be administering Windows servers....ewwwww
:-)
-Tom
+17Apologies, you are right. They won't be admin offline.
I
Sent from my iPhone
On 20 Oct 2011, at 08:33 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:
I'm not sure what you mean by that.
We already use the Apple Binding tool to tell us which AD groups are for admin users the issue is once you unplug from the network they become non-admins.
On Oct 20, 2011, at 12:32 PM, Baykara, Cem wrote:
Another way if doing it is;
Add your users to AD group then use default command to populate AD Domain admins.
There is a script in resources kit that uses the Default command to do this.
Cem
Sent from my iPhone
On 20 Oct 2011, at 07:55 PM, "Matthew Lee" <Matt.Lee at fox.com<mailto:Matt.Lee at fox.com>> wrote:
Login Script correct?
On Oct 20, 2011, at 11:53 AM, Thomas Larkin wrote:
taking a note from Cem I whipped this up, please test and post on the script repository if it works
#!/bin/bash
# add user to the local admin group if their account is an AD account
# run as a login hook via casper, $3 will retrun the current user
# see if the user has Active Directory present as their authentication authority
/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"
# now check results of command and apply group membership accordingly
if [[ $? == 0 ]] ; do
then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."
fi
done
# now check group membership of user and notify them of any changes
if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]
then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"
fi
exit 0
+17Hi Mathew,
Dscl broke the admin group for me in couple of occasion and we have turned
up re-imaging the Macs. I suggest using dseditgroup instead.
I have attached couple scripts that you can use in with Casper Remote or
just use the one liner at the bottom of the scripts with policy.
This was the explanation (see below - its from mailing list archive):
+20What is in reality the best way to automate this?
I would like to be able to add a user to my AD group, have them login, get AD to grant them admin rights, and then have some sort of script run to know that they are in that AD group and move them into the correct local admin group. Same would be if the AD rights were revoked to also revoke local admin.
I find it rather tough that Apple didn't include this option.
+31Well if you run this:
dscl . read /Users/<username> AuthenticationAuthority | grep "Active Directory"
it will either return 0 if Active Directory is present, or 1 if the command errors out. So you can find out the results of the previous command ran by simply running a built in bash function of $? So, hence why in my script I run the command and then check to see what the output was
if [ $? -eq 0 ] # if the command was successful then a bunch of commands to add user to admin group else commands to state user is not an AD user fi
I have never had dscl hose any system and have used it a lot in my scripts. However, if you run a command like this:
dscl . delete /Groups/admin GroupMembership username
and some how mess it up to run say this:
dscl . delete /Groups/admin
that isn't really good to say the least. dseditgroup is probably a better method of adding and removing users to group. It is a lot safer to use. I mainly use dscl because that is what I learned first and I am usually also doing other things with it as well.
-Tom
+20What is in reality the best way to automate this?
I would like to be able to add a user to my AD group, have them login, get AD to grant them admin rights, and then have some sort of script run to know that they are in that AD group and move them into the correct local admin group. Same would be if the AD rights were revoked to also revo
+20Thats right along the lines of my thinking. I am going to try and run with this. dscl has been fine for us as I use it on a few extension attributes.
+31taking a note from Cem I whipped this up, please test and post on the script repository if it works
#!/bin/bash
# add user to the local admin group if their account is an AD account # run as a login hook via casper, $3 will retrun the current user
# see if the user has Active Directory present as their authentication authority
/usr/bin/dscl . read /Users/$3 AuthenticationAuthority | /usr/bin/grep "Active Directory"
# now check results of command and apply group membership accordingly
if [[ $? == 0 ]] ; do
then /usr/sbin/dseditgroup -o edit -a $3 -t user admin else /bin/echo "$3 is not an AD user..."
fi done
# now check group membership of user and notify them of any changes
if [[ /usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3 == 1 ]]
then /usr/sbin/jamf displayMessage -message "We have detected that your user account is a part of Active Directory and you have been added to the local admin group"
fi
exit 0
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
