Allow administration by:

I wanted a way to add Active Directory groups to an Active Directory bound Mac whereby members of said groups would have local admin rights automatically granted upon login.

Criteria 1: Use the command line
Criteria 2: Don't delete pre-existing groups
Criteria 3: Must be automated without any user interaction (for use with say, JAMF)

The Way of the GUI
1. Open /System/Library/CoreServices/Directory Utility.app
1. Authenticate
1. Double-click on Active Directory
1. Expand out Show Advanced Options
1. Click the Administrative tab
1. Check Allow administration by
1. Add your groups
1. Click OK
1. Have a nice day!

Oh - but wait, we want to do this through the command line.

Fair enough...

The Way of the Command Line Padawan
[code]sudo dsconfigad -group "groupName1,groupName2,..."[/code]
Well, that works... sort of. That certainly adds groupName1 and groupName2 as expected. But it also removes any other groups (i.e. Enterprise Admins, Domain Admins, etc.). That's no bueno.

So I wrote a script...

The Way of the Command Line Jedi
[code]
#!/bin/sh

#
# AllowAdminBy.sh v2.0
# Written by Caine Hörr
# Written on 2014-09-03
# Last Updated by Caine Hörr
# Last Updated on 2014-09-03
#
# SCRIPT PURPOSE
# The purpose of this script is to add Active Directory groups to a Mac.
# This script gives users within the added Active Directory groups local admin rights.
# This script does not remove existing groups.
# Results are verifiable in the GUI via Directory Utility.app
#
# CHANGE CONTROL
# Renamed the script to properly reflect its purpose
# Added error checking for sudo
# Added the ability for command line arguments
# Added error checking for missing command line arguments
# Removed all user interaction beyond the initial command line for true automated processing
# Cleaned up the output of the existing groups display
# Removed superflous and non-essential comments / screen output
#
# KNOWN ISSUES
# If you use command line arguments that contain spaces but are not encapsulated # within quotes, the script will fail to pass everything beyond the first space.
# This will take some more time on my part to error check for that. # In the mean time, use the proper syntax and you should not have a problem. #

# Return help if script run without sudo
if [ "$(id -u)" != "0" ]; then echo echo "ERROR: This script must be run with sudo and arguments." echo echo "usage: sudo ./AllowAdminBy.sh ["Group1,Group2,..."]" echo echo " EXAMPLE 1 - Groups with spaces in the names" echo " sudo ./AllowAdminBy.sh "Enterprise Admins,Domain Admins"" echo echo " EXAMPLE 2 - Groups without spaces in the names" echo " sudo ./AllowAdminBy.sh Administrators,Finance" echo echo " EXAMPLE 3 - Groups with and without spaces in the names" echo " sudo ./AllowAdminBy.sh "Domain Admins,Administrators"" echo exit 1
fi

# Return help if script run without arguments
if [ "$1" = "" ]; then echo echo "ERROR: This script must be run with arguments." echo echo "usage: sudo ./AllowAdminBy.sh ["Group1,Group2,..."]" echo echo " EXAMPLE 1 - Groups with spaces in the names" echo " sudo ./AllowAdminBy.sh "Enterprise Admins,Domain Admins"" echo echo " EXAMPLE 2 - Groups without spaces in the names" echo " sudo ./AllowAdminBy.sh Administrators,Finance" echo echo " EXAMPLE 3 - Groups with and without spaces in the names" echo " sudo ./AllowAdminBy.sh "Domain Admins,Administrators"" echo exit 1
fi

# Gather existing group data and put into $ExistingGroup variable
ExistingGroups=dsconfigad -show | grep "Allowed admin groups" | cut -d' ' -f 17-

# Test the existing group data stored within the variable if [ "$ExistingGroups" = "not set" ]; then # If existing groups do not exist, trim off all preceding white space characters ExistingGroups= echo echo "There are no existing groups" echo else echo echo "EXISTING GROUPS..." echo $ExistingGroups echo # If existing group data does exist, append a comma ExistingGroups="$ExistingGroups,"
fi

echo "ADDING THE FOLLOWING GROUPS..."
echo $1
echo

# Concatenate the $ExistingGroups variable with the $1 variable
# Requires escalated privileges
dsconfigad -group "$ExistingGroups$1"

echo
echo "VALIDATING GROUPS..."
dsconfigad -show | grep "Allowed admin groups" | cut -d' ' -f 17-

echo
echo
echo
exit 0
[/code]
I'm sure with a little salt & peppering to taste, you can squeeze this into an Extension Attribute within JAMF.

Feel free to comment, edit, stare blankly or throw up on your keyboard at this discussion - the choice is yours.

Cheers!

Be the first to reply!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded