Extension Attribute to Call an AD Group

Let me try that.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Hi Matthew,

Something like:

#!/bin/sh

# This script is to display the OU of the Computer in Casper

# Read Computername

CN=scutil --get LocalHostName

# LDAP Lookup

ou=dscl localhost -read /Active Directory/All Domains/Computers/$CN | grep dn: | cut -d, -f3-5

echo "<result>$ou</result>"

wouldn't that just be a login script that has a check to see if the user is in said group then execute something?
as you can see I belong to packaging
bash-3.2$ groups
packaging com.apple.sharepoint.group.2 everyone _appstore netaccounts _appserverusr admin _appserveradm _lpadmin _lpoperator _developer com.apple.access_screensharing com.apple.sharepoint.group.1
bash-3.2$ groups | grep -q packaging
bash-3.2$ if [ $? -eq 0 ];then echo "run other script"; else echo "not in the right group, skip script"; fi
run other script

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Here is what I have. I have a script that shuts down computers at night and instead of manually making a Smart Group I thought hey maybe an Extension Attribute. So I have the shutdown script from the Resource Kit and I have it all setup, it would be great if I could make a smart group based on an extension attribute that some how knows who's in that AD Group, and then applies (Via Smart Group runs said script.)

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

so take that same thing I did and transfer it to the casper method…
#!/bin/bash
groups | grep -q packaging
result=$?
if [ $result -eq 0 ]; then result=yes
else result=no
fi
echo "<result>$result</result>"

then your smart group is based off of yes or no answer
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Thanks Todd! I will give this a shot.

For clarification when does this trigger? At login?

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

you know come to think of it, that is a good question, chances are this is going to run as root and never match, :( too many things going on and I did not think clearly. so again, back to a login script that writes a file somewhere, that you could then check for existence of the file with something similar to whats below. -e filename instead.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Can you do anything on the JSS side since the JSS can directly tie into AD?
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

I don't know honestly. The way I did it previously was manual. Made an Extension Attribute with a Yes No and a Smart Group.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Are you looking to create a smart group that matches the membership of an AD group? If I infer correctly from your post, you want to do the following. If user X belongs to AD group Y, you want their computer to be added to a corresponding JSS smart group Y. Correct? Then perhaps apply some policy to that smart group? For example, hypothetically the computers that belong to all people in the AD group Human Resources would get added to a JSS smart group called Human Resources. I'll bet someone has done this before as it seems quite a normal thing to do - identify all of the computers used by an organizational group.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

Maybe create an extension attribute that does this:

owner=$(who | awk '/console/ { print $1 }')
group=$(id -p $owner | awk '/groups/ { print $2 }')
echo "<result>$group</result>"

This will set the attribute value to the primary group of the user logged into the console. Once you have all of these attribute values being collected you can then create smart groups based on the different values.

Walter
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

Just wanted to throw one more piece into this puzzle.

This will be machine based not user based :)

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

I came up with this…

#!/bin/bash
dscacheutil -q group | grep 1115105145
result=$?
if [ $result -eq 0 ]; then result=yes
else result=no
fi
echo "<result>$result</result>"

This seemed to work but dscacheutil seems to take a while!

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

dscl /Active Directory/All Domains -read /Groups/groupname

Works to give me all the information I need. It gives me a "GroupMembership" field with the computers listed as domain/computername. Now if I can only a figure out a way to get that to compare :)

Thanks guys life saver!!!!

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Correct. This will set an extension attribute for the machine, but it will directly correlate to the primary AD group of the user logged into the console.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

All you need to do is check group membership versus the AD group you want to create the extension for and then echo out the result with the proper brackets so Casper client will inject the data into a table in the JSS database.

I don't have AD but I could easily script this. If you look at user data via dscl command what attribute displays the AD group? I could write you a quick script for this.

-Tom

i have a snippet that does this here: https://github.com/rockpapergoat/scripts/blob/master/accountmanagement/get_ou.rb

these methods are part of another ruby script i use to assign admins based on a machine's OU in AD.

If the client is joined to AD and you user is logged in via their AD user ID, the script I provided does this. The "id" command takes that into account.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

The script provided me the group of the logged in user (this is actually very helpful for something else I am doing!)

The thing though is that I really want to do:

If $currentmachinename is in $adgroupX then $displaygroupname else donothing/exit

The $displaysomething would I assume be the variable used to trigger the smart group to execute the script I wrote.

Thanks for all the help everyone! I get smarter and smarter everyday because of you all!

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

scripts run as root in Casper, so id would return the root use (UID 0) so you need to use a method of user detection to figure out the UID of the user in question. I have several methods but prefer building a list of all users above UID 500, then checking their group membership, then executing whatever.

I don't have AD, but if you use the dscl . read /Users/myuser what information returns that displays the AD group? If you give me this I can write you guys a script that does this.

Thanks,

Tom

Not if you provide a user ID on the command line. See one of my previous messages.

owner=$(who | awk '/console/ { print $1 }')
group=$(id -p $owner | awk '/groups/ { print $2 }')
echo "<result>$group</result>"

Walter
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

On Aug 17, 2011, at 11:06 AM, Thomas Larkin wrote:

scripts run as root in Casper, so id would return the root use (UID 0) so you need to use a method of user detection to figure out the UID of the user in question. I have several methods but prefer building a list of all users above UID 500, then checking their group membership, then executing whatever.

I don't have AD, but if you use the dscl . read /Users/myuser what information returns that displays the AD group? If you give me this I can write you guys a script that does this.

Thanks,

Tom

All I get is a Group ID number.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Well, assuming there may be more than one account on a computer for whatever reason, like for exmaple a user logs into multiple computers, or say you have an admin AD account on each machine, or whatever reason. Also, when I build my images any local accounts for management are hidden and use a UID lesser than 500.

So, I do this

userList=dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'

This returns a list of all users who have a UID greater than 500, and to be honest you can up it to 1000 since all network/mobile accounts in my experience (be them OD or AD) have a UID greater than 1000.

Then loop the user list

for u in ${userList} ; do

some Unix commands to compare, if/then, execute policy, whatever

This way a script can run once and hit all users regardless of who is logged in and create extension attributes. Then you can compare if a machine is in more than one extension attribute smart group, and find out why multiple users logged into it, or why it is in both, etc. Perhaps it needs to be in both. Of course this is just my opinion and not necessarily the best way for everyone to accomplish this.

-Tom

The objects in the group are computer objects it would be great if I could take the currentName="networksetup -getcomputername" and compare it to what is inside that particular AD group.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Well what does this return?

dscl . read /Groups/myadgroup GroupMembership

or if they are computer groups

dscl . read /Computers/computer_group GroupMembership

does that return anything? Again I don't have AD to test with right now :)