Skip to main content

I am using dseditgroup in my login script to check if a user is a member of the 'Staff' group in Windows Active directory. It has been working fine for a couple of months. We have around 4000 users so its quite well tested.

I have one Student who's login fails because the return value from group is incorrectly being returned as true even though he is not a member of Staff.

here is the code which is returning 1 for the user, but should be returning 0.
groupcheck=$( dseditgroup -o checkmember -n /Active Directory/"${netbios}"/All Domains -m "${username}" "${groupmembership}" | grep -c "yes" )

A few runs in terminal confirms that it it returning the wrong result.

Has anyone else seen this or can offer any suggestions before I zap the user.

Thanks.

@gfawkes Thought i'd respond here as we figured this one out.

Issue was grepping for "yes" would work if "yes" was in the users username, easy fix.. grep for "yes ".

OLD:

groupcheck=$( dseditgroup -o checkmember -n /Active Directory/"${netbios}"/All Domains -m "${username}" "${groupmembership}" | grep -c "yes" )

NEW:

groupcheck=$( dseditgroup -o checkmember -n /Active Directory/"${netbios}"/All Domains -m "${username}" "${groupmembership}" | grep -c "yes " )

I know this is old, but I was just looking into this and wanted to post a good alternative that avoids any username conflicts. This could also be accomplished with a simple awk:

groupcheck=$(dseditgroup -o checkmember -n /Active Directory/"${netbios}"/All Domains -m "${username}" "${groupmembership}" | awk '{ print $1 }' )

This will return the first word of the result, which will either be yes or no depending on if they were found or not. Then you can use that result in an if/then statement.

if [ "$groupcheck" == "yes"  ]; then
    # Take some action here
fi
Terms & ConditionsCookie settingsAccessibility statement