Admin rights scripts for Casper Remote

Hi Armin,
Wow that is great, thank you for taking time to explaining in detail.
Our Macs are bound to AD and it all make sense... dseditgroup it is then.

Sent from my iPhone

Yep you're right. I am closing the shop :)

Sent from my iPad

On 4 Feb 2011, at 19:19, "Thomas Larkin" <tlarki at kckps.org<mailto:tlarki at kckps.org>> wrote:

Then get off the Capser list and enjoy your 3 day weekend! :)

Can you post the full commnand you ran? Did you loop through all users to modify the group membership?

Here is the full command that broke the admin privileges.
dscl . -append /Groups/admin GroupMembership username

Did you loop through all users to modify the group membership?
Nope

OK, looking at that script, I think there is a better way to approach this. All of your hidden accounts should have a UID value less than 500. So going off that we can generate a list of users that have UID greater than 500, which will be every non admin non hidden user.

#!/bin/bash

#grab all users with UID over 500

UserList=dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'

# loop through our greater than UID 500 user list and add admin rights

for u in $UserList ; do

dscl . append /Groups/admin GroupMembership $u

done exit 0

To reverse it just change append to delete

Sure but this will be given to all users in /Users admin rights? I just want to give admin rights to 1 specific user…
Also why the command broke the admin group?

Adding a single user should not remove all users from the admin group. My guess is something happened along these lines:

1 - BSD database corruption, rare but happens 2- When you removed the user from the admin group, an improper syntax
was used like - dscl . delete /Groups/admin

Those are my two best guesses as to why that would happen. I have
never seen it.

Hmmm that was a fresh re-build Mac…can BSD corruption happen on fresh OS? Perhaps command kicked in while the indexing was happening…but will these combined together can cause this issue I wonder?

You should always use dseditgroup rather than dscl to edit group memberships:

dseditgroup -o edit -a username -t user admin

(see man page for more examples)

Armin

Cem,

Question for you:

Does the admin group still exist on the system, with all the users removed
from it? Or is the group itself gone completely?

E.g.

dscl . -list /Groups | grep "admin"

should come back with _lpadmin and admin. We've seen a couple of
instances in our environment where the admin group has gone AWOL, but
never been able to track it down. We've always re-imaged rather than try
to reassemble Humpty Dumpty. There's a thread from back on 18 Oct 2010
where someone mentions Apple pointing the finger at antivirus software
whacking the local directory service database. You might try looking in
that direction.

-Charlie

-------------------------------------
Charlie Smith
Desktop Engineer
Information Services Department (ISD)
MIT Lincoln Laboratory
244 Wood St. Lexington, MA 02420
Phone: 781.981.0854
E-mail: charlie.smith at ll.mit.edu
-------------------------------------

Yep that rings a bell.
Unfortunately engineer must have rebuild the mac by now (I am actually off today)

Sent from my iPhone

Thanks for the advice but I would like to know the reason why dseditgroup not dscl?

Sent from my iPhone

Then get off the Capser list and enjoy your 3 day weekend! :)

Cem

Because it abstracts you from the underlying Directory which may use a different method of storing and determining group membership depending on type (local DS, OD, AD)

see this local group listing in dscl:

rhea:~ armin$ dscl . read /Groups/admin
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 20EE5CE3-D290-4E38-ACA1-D58F70A96D68 16508AD2-5317-416F-87DD-3571756DE26E
GroupMembership: root armin labadmin
Password: *
PrimaryGroupID: 80
RealName: Administrators
RecordName: admin
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-32-544

You see that the local DS stores group membership by shortname in GroupMembership and by the GUID in GroupMembers. I think the GUID is canonical, but if these two get out of sync, weird things will happen (as you have seen). I think OD uses the same fields, but don't have one around to test right now.

Oh, and you can have NestedGroups as well. Also the user's PrimaryGroupID can determine group membership:

rhea:~ armin$ dscl . read /Groups/staff
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
GroupMembership: root
Password: *
PrimaryGroupID: 20
RealName: Staff
RecordName: staff
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-32-545

rhea:~ armin$ dseditgroup -o checkmember -m armin staff
yes armin is a member of staff

(even though there is no mention of the armin account or GUID in the staff group).

And Active Directory and the AD plug-in determine group membership differently. And of course you can nest AD groups in OD groups or local groups or vice versa.

Summary: groups and group membership are much more complicated than they initially seem. Do not try to mess with them directly. Use dseditgroup (it's been with us since 10.4, with slight changes, but scripts should be fairly compatible)

<http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/dseditgroup.8.html>

PS: In Snow Leopard it will work for ComputerGroups as well.

Armin

PPS: the only thing that dseditgroup does not do is list all available groups. You have to use "dscl /Search list Groups" for that. Though "dseditgroup <groupname>" can be used to determine if a group exists.