Skip to main content

All -
Looking for some help here as far as a script to add multiple AD groups to the OS X AD Plugin.
In our environment, historically, rights to numerous items are granted by adding all users to a specific AD group, this is for easier support as well as keeping track of rights and access.



Currently, in the Casper environment that I have become responsible for there is a script that runs at build time after AD binding. This does numerous things, one of which is adding our desktop techs AD group to the local admin group so that they have the rights to administer the machine.



Here is the current script:



#!/bin/sh



# Purpose: Set AD plugin options after binding



# Enable mobile accounts

dsconfigad -mobile enable >> /var/log/jamf.log



# Disable mobile account creation confirmation

dsconfigad -mobileconfirm disable >> /var/log/jamf.log



# Force local home folder

dsconfigad -localhome enable >> /var/log/jamf.log



# Disable UNC network home paths

dsconfigad -useuncpath disable >> /var/log/jamf.log



# Add DOMAINDesktopAdmins to administrator group

dsconfigad -groups DOMAIN\\DesktopAdmins >> /var/log/jamf.log



# Allow authentication from any Domain in the Forest

dsconfigad -alldomains enable >> /var/log/jamf.log



# Allow packet signing

dsconfigad -packetsign allow >> /var/log/jamf.log



# Allow packet encryption

dsconfigad -packetencrypt allow >> /var/log/jamf.log


I am hoping to add additional AD groups to this script. However, when I have added them, either as a whole new #section or just under the current #section it never adds the second group. When I run the script to add another AD group outside of the build it also does not work correctly.



Can anyone post something here (or tell me whats wrong) that will actually add the second (or third/fourth/fifth, etc...) AD group to the plugin at build time as well as something to run on machines already built so that they will get additional AD groups as well? Make sense?



This works perfectly for the single group addition but never for another group. Would love to alter the script at build time to add these groups, but also have something that works to add additional groups at any time in the future.



As always, any help greatly appreciated.

Hi @MTurnerFMRCO
The problem is that the dsconfigad -groups command overwrites any previous entries. So during imaging, you could modify your script by adding all of the groups at once:



group1="DOMAIN\\DesktopAdmins"

group2="DOMAIN\\ServerAdmins"

group3="DOMAIN\\SecurityTeam"



# Add DOMAIN administrator groups

dsconfigad -groups "$group1,$group2,$group3" >> /var/log/jamf.log


I use the following script to add groups individually to existing machines without changing what was already in place. I just specify the security group I want to add in Parameter 4 in either a Policy or Casper Remote....if you use this frequently you could modify it to add more that 1 at a time..



#!/bin/bash



##################

#Script information

##################

#Script: Add_Admin_Group_1.0

#Purpose: This script will add the AD group specified in Parameter 4 when the script is run to the AD binding admin groups.





#########

#Variables

#########



CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`

#New Group is defined in casper script Parameter 4

NEWGROUP="domain\\$4"



#########

#SCRIPT

#########



dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"

VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`



if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]

    then

        echo "Admin Groups configured successfully." >> yourlogfile

        exit 0

    else

        echo "Unable to set admin groups." >> yourlogfile

        exit 1

fi
dsconfigad -groups "DOMAINDesktopAdmins,DOMAINSecondGroup,DOMAINThirdGroup"


should work

@Josh.Smith
@Chris



Thank you both for the reply. I will test both and add details here.

I didn't even put the DOMAINpart in it.



sudo dsconfigad -groups ADMINS,WORKSTATIONSADMINS,GROUPTHREEHERE

Reply


Terms & ConditionsCookie settings