I want to scope a VPN install at a AD security group. Can this be done and how?
Page 1 / 1
I have an Extension Attribute that lists the AD groups of the logged in user. You can list a smart group for that AD group and scope your policy to it.
#!/bin/sh
currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
Groups=$( dscl /Active Directory/<DOMAIN>/All Domains read /Users/$currUser dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' )
echo "<result>$Groups</result>"Scope to all computers but add a limitation to the LDAP group.
@daniel.behan Hi Daniel. I just tried your script, and it does not appear to be working. We are on 10.8. Is it still working for you?
@nberanger
I also use an EA to grab the logged in user AD group membership. From there I create a smart group with the criteria of "User AD Group" -> "like" -> "<name of AD group to scope to>" this should drop devices into the smart group if the user is apart of the ad group I'm targeting. Below is the EA script.
!/bin/sh
loginUsername=$(stat -f "%Su" /dev/console)
Groups=$(dscl '/Active Directory/DOMAIN' -read /Users/"$loginUsername" | awk '/^dsAttrTypeNative:memberOf:/,/^dsAttrTypeNative:msExchHomeServerName:/')
echo "<result>$Groups</result>"
Thanks @mrheathjones I tried using your script, but it isn't returning any results for me. I should only have to change "DOMAIN" to our domain, correct? We do use the jamf infrastructure manager to connect to LDAP, so maybe that has something to do with it?
We use a similar script to Daniel but target the computer not the user. Useful if multiple users login.
#!/bin/sh
currComputer=$( dsconfigad -show | grep 'Computer Account' | awk '{print $4 }' )
Groups=$(dscl "/Active Directory/Domain" read /Computers/$currComputer dsAttrTypeNative:memberOf | tr " " "
" | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' )
echo "<result>$Groups</result>"
.
@nberanger Just curious if you figured this out? We are trying to do the same thing but get no results as well. We also use the JAMF Infrastructure Manager
Hey @EUC600 I ended up giving up on this as I could not get it working. If you do manage to make it work though, I would love to hear how you did it :-)
Cheers!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.