Skip to main content
Solved

Use AD group to scope policy

  • May 2, 2018
  • 9 replies
  • 65 views
KyleEricson
Forum|alt.badge.img+17

I want to scope a VPN install at a AD security group. Can this be done and how?

Best answer by cubandave

Scope to all computers but add a limitation to the LDAP group.

Read My Blog: https://www.ericsontech.com

    9 replies

    D
    Forum|alt.badge.img+11
    • daniel_behan
    • Valued Contributor
    • May 2, 2018

    I have an Extension Attribute that lists the AD groups of the logged in user. You can list a smart group for that AD group and scope your policy to it.

    #!/bin/sh

currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

Groups=$( dscl /Active Directory/<DOMAIN>/All Domains read /Users/$currUser dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' )

echo "<result>$Groups</result>"
    C
    Forum|alt.badge.img+9
    • cubandave
    • Contributor
    • Answer
    • May 2, 2018

    Scope to all computers but add a limitation to the LDAP group.

      N
      Forum|alt.badge.img+6
      • nberanger
      • Contributor
      • November 7, 2018

      @daniel.behan Hi Daniel. I just tried your script, and it does not appear to be working. We are on 10.8. Is it still working for you?

      M
      Forum|alt.badge.img+10
      • mrheathjones
      • Contributor
      • November 7, 2018

      @nberanger I also use an EA to grab the logged in user AD group membership. From there I create a smart group with the criteria of "User AD Group" -> "like" -> "<name of AD group to scope to>" this should drop devices into the smart group if the user is apart of the ad group I'm targeting. Below is the EA script.

      !/bin/sh

      loginUsername=$(stat -f "%Su" /dev/console)

      Groups=$(dscl '/Active Directory/DOMAIN' -read /Users/"$loginUsername" | awk '/^dsAttrTypeNative:memberOf:/,/^dsAttrTypeNative:msExchHomeServerName:/')

      echo "<result>$Groups</result>"

      N
      Forum|alt.badge.img+6
      • nberanger
      • Contributor
      • November 22, 2018

      Thanks @mrheathjones I tried using your script, but it isn't returning any results for me. I should only have to change "DOMAIN" to our domain, correct? We do use the jamf infrastructure manager to connect to LDAP, so maybe that has something to do with it?

      D
      Forum|alt.badge.img+11
      • dmw3
      • Valued Contributor
      • November 22, 2018

      We use a similar script to Daniel but target the computer not the user. Useful if multiple users login.

      #!/bin/sh currComputer=$( dsconfigad -show | grep 'Computer Account' | awk '{print $4 }' ) Groups=$(dscl "/Active Directory/Domain" read /Computers/$currComputer dsAttrTypeNative:memberOf | tr " " " " | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' ) echo "<result>$Groups</result>"
      J
      Forum|alt.badge.img+11
      • JustDeWon
      • Contributor
      • November 27, 2018

      .

      E
      Forum|alt.badge.img+4
      • EUC600
      • Contributor
      • November 24, 2020

      @nberanger Just curious if you figured this out? We are trying to do the same thing but get no results as well. We also use the JAMF Infrastructure Manager

      N
      Forum|alt.badge.img+6
      • nberanger
      • Contributor
      • November 24, 2020

      Hey @EUC600 I ended up giving up on this as I could not get it working. If you do manage to make it work though, I would love to hear how you did it :-)

      Cheers!

      Terms & ConditionsCookie settingsAccessibility statement