Skip to main content

I'm working on a bash script designed to enable Macintosh (10.8) users that are given admin permissions from Active Directory, to retain their Admin credentials when they're not authenticating to AD (ie: took a work computer home and working offline). By default you lose Admin permissions if you can't authenticate... theoretically this script should add users from specified AD groups and make them local admins.



I'm just running into one error near the end when it attempts to append the users from the groups, instead of doing so and exiting the script, it's stating, "No group name provided" three times. I'm a bash novice, so here's to some assistance! I've changed our AD domain to mytfa.org to keep it similar but inconspicuous as the word "example" when mirrororing "example.com" was thoroughly confusing in the various connotations of this script.



#!/bin/bash
#
#
# Script to detect if a user is a member of the admin group. If not, and they are not a student, it will add them.
#
#
# say "script started"



# Check if user is already an admin
IsAdmin=$(dseditgroup -o checkmember -n . -u $1 admin)
# say "Is Admin variable assigned"
# echo "$IsAdmin"
if [[ $IsAdmin == yes* ]]
then
# echo "No further action needed"
# say "user is an admin"
exit
else
# All TFA check... -n is not null -o comparison for or $1 stores username
# say "All TFA check"
ATmember=$(dseditgroup -n /Active Directory/MYTFA/mytfa.org -o checkmember -u $1 All TFA)
# Tech Team check
# say "Tech Team check"
TTmember=$(dseditgroup -n /Active Directory/MYTFA/mytfa.org -o checkmember -u $1 Tech Team)
# Administrators check
# say "Administrators check"
AAmember=$(dseditgroup -n /Active Directory/MYTFA/mytfa.org -o checkmember -u $1 Administrators)



# Adds to local admin if user is a member of All TFA, Tech Team, or Administrators
if [[ $ATmember == yes* ]] || [[ $TTmember == yes* ]] || [[ $AAmember == yes* ]]
then
# say "User is a member"
# echo "User is a member of All TFA, Tech Team, or Administrators."
sudo dscl . append /Groups/admin GroupMembership $1
fi



fi



exit



Using 10.8.4 as root also tried as AD Admin account. Original source ( http://pastebin.com/86hjq4Hi )

I whipped this up a few years ago with some help on here.



#!/bin/bash



# Add Network Admin to Local Admin Group

# author: matt.lee@fox.com 



# Declaring Variables



realname=`dscl . read /Users/$3 RealName | sed -e '$!d' -e 's/^[ 	]*//'`

adgroupname="MACADMINS"

localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "

" | grep "$3"`

adgroup=`dscl "/Active Directory/yourdomain" -read /Groups/$adgroupname member | grep -o "$realname"`



# Checking AD Group Membership 



# If User is in AD Admin Group but Not Local Admin



if [[ "$realname" == "$adgroup" && "$3" != "$localgroup" ]]; then

        dscl . append /Groups/admin GroupMembership $3

            echo $3 "successfully added"

   exit



# If User is in AD Admin Group and is a Local Admin



elif [[ "$realname" == "$adgroup" && "$3" == "$localgroup" ]]; then

        echo $3 "is already a Local Admin"

    exit



# If User is not in the AD  Group



elif [[ "$realname" != "$adgroup" && "$3" == "$localgroup" ]]; then

        echo $3 "is a Local Admin Only"

    exit



elif [[ "$realname" != "$adgroup" ]]; then

        echo $3 "is not a Network Admin"

    exit







fi

You could also use dseditgroup instead of dscl:



/usr/sbin/dseditgroup -o edit -a $user -t user admin


$user is the username of whoever you want to add to the local admin group

Don't use dscl -append to add a user into a group. dscl is not intelligent in how it handles this and can add multiple instances of a user account into the group. Believe me, I've seen it, and it can take multiple steps to clean it out properly later if you want to remove that user from the admin group. Apple recommends using dseditgroup to add users to any groups now over dscl. You're already using dseditgroup to check group membership so stick with it when adding users into the local admin group.



/usr/sbin/dseditgroup -o edit -a $username -t user admin


Secondly, I don't think you should be using $1 to store the username since Casper Suite already reserves this for its own parameters when it runs any shell scripts. This could be part of the errors you're seeing.
$1, $2 and $3 are reserved for mount point, computer name and username, respectively. the $3 (username) will only work with login/logout policies or with Self Service though so don't use that unless you're sure that's the only time the script will be run.

Interesting the script I have been running has been pretty flawless and our Active Directory is shambles! Maybe I should upgrade my script since when I wrote it dscl was the advice I got.

Interesting the script I have been running has been pretty flawless and our Active Directory is shambles! Maybe I should upgrade my script since when I wrote it dscl was the advice I got.

At one time everyone was told dscl was the way to do it, and I'm not saying it doesn't work anymore. And dscl is still very useful for a lot of things, especially reading back data from a directory structure. But as I said, I've seen cases of looking at the local admin group with dscl . read /Groups/admin and seeing 5 or 6 instances of the same user account in there because of dscl . -append operations. It doesn't check to see if the account is already in the group. It just blindly appends it in the way you told it to.
Apple started recommending dseditgroup about 2 or more years ago I believe, maybe even earlier.

Time to update! :D

Will you post your update here? We're going to rebuild ours based on yours, but had also been considering what would happen if the script ran multiple times (ie: duplicates and any issues that would occur).



The following suggestion:



/usr/sbin/dseditgroup -o edit -a $username -t user admin


Will username pull current username or can I use $3 in place of $username if ran from Self-Service?

The at login with $3 in place of $username worked like a charm. Thank you for the assistance.



Will there be any issue with running this 'at login' 'ongoing'? If I'm reading this correctly dseditgroup is "more intelligent" and will not create duplicate records, yes?

It shouldn't be a problem. Your script appears to already be checking if the account it grabbed at login is in the local admin group and exiting if its already there, so you should be doubly safe with that and using dseditgroup :)

elif [[ "$realname" == "$adgroup" && "$3" == "$localgroup" ]]; then

        echo $3 "is already a Local Admin"

    exit


Thats the output I tried to use as my safety net.

Terms & ConditionsCookie settings