Active Directory - Add computer name to security group after AD bind

Hi @jeremygould,

Is this for every Mac? & can you elaborate io why?

Could you maybe bind the macs to a specific OU & then apply the policy to that.

The dscl command may be able to add to the AD group, but you'd need to pass the usernames & password via script do a user with rights to amend the membership. (Which isn't advised, but you maybe able to hash the password).

Every MAC...we are deploying machine certs from Active Directory and our Security team wants to use a different certificate template for MACs than our Windows devices. They need an AD security group with these devices to assign rights to. Windows certificate template is using the built in group "Domain Computers" so I need to come up with a way to automatically add devices to a separate Security Group.

Played with dscl command as well but ran into some roadblocks.

+1 on applying the policy to an OU and binding to that ou

@jeremygould, I'm guessing this is a Windows Network Policy Server? (NPS).

I had a look, & looks like you cannot specify an OU to constrain a policy to: http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx.aspx)

There are ways to expand NPS to look at OU's or ad groups to have members based on OU.

BUT, if the NPS policy is applying to all those that are part of the "Domain Computers" group. Then the policy will apply to the Macs too, during the bind process a computer object is made & that will be a members of the "Domain Computers" group.

So it should work.. Why do they require separate groups for the macs? They should be able to use the same NPS as the Win clients. (Ours do).

Hope that helps.

Thanks bentoms...I agree. Using the same cert as our Windows devices would be my preference. Our Security team though wanted to setup separate reporting for MAC devices by using a separate certificate. Based on everything I am hearing and reading I don't think it is worth the work to figure out an automated way to get Security Group assignments. I think I will push back on them. Appreciate the response.

@jeremygould no worries.

If the NPS is scoped to Domain Computers... You'll not be able to segregate.

If the Certs are based on the macs name, you could get the to marry up the Certs to the macs records in the JSS.

OR, if you have 1 OU for the macs... They could use the computer objects to marry up against NPS.

BUT, what are they needing reporting on?

@jeremygould, oh last thing... You could create a NPS just for the macs.

@colonelpanic, nice solution.

But if @jeremygould's NPS is deploying Certs to members of "Domain Computers", then the mac clients will get the same Certs as the windows clients.

To change, both the Windows & Mac Certs would need to be scoped to separate AD groups, which only contain the relevant computers.

You are correct. That is the way I have everything set up. That part of the decision was out of my control, I just was able to make do with what I had by using adtool.

@colonelpanic, don't we all!

Bookmarked the tool as could come in handy. Thanks!

@colonelpanic, very cool...this is what I was looking for. Thanks so much!

You're welcome! It took me a longer than I'm willing to admit to find that tool and crete a working solution, so I'm happy to help you get there quicker.

I was looking into this just last week. OS X has a command built in that I use... ldapmodify... here's the syntax that I use:

ldapmodify -H ldap://xxx.xxx.com -f /Users/Shared/[filename.ldif] -D username -w password -x -c -v

For this, it reads from the ldif file for instructions, so I have this at the beginning of the script:

echo dn: CN=[security_group],OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx > /Users/Shared/[filename.ldif]
echo changetype: modify >> /Users/Shared/[filename.ldif]
echo add: member >> /Users/Shared/[filename.ldif]
echo member: CN=[computername],OU=xxx,OU=xxx,DC=xxx,DC=xxxl,DC=xxx,DC=com >> /Users/Shared/[filename.ldif]

I fill the username, password, and computername with Applescript dialogs.

@colonelpanic thanks for posting this - was looking for something that did this exactly today.

Only thing I can't figure out is how to get it working if the account with permissions to add the group membership resides in an OU with spaces in name. Anyone have ideas on that? If I put the user account in CN=USERS, or OU=TEST it works, but on OU=TEST GROUP the script errors out.

FWIW, we have a script that runs against AD every 30 minutes. It adds a specific security group to any machine that has attributes "Mac OS X" in Operating System Version . . . this security group gives that machine permissions to the Mac cert template which it then can request from the CA.

what are people using in 2024 for this?