- Jamf Nation Community
- Products
- Jamf Pro
- Re: AD DSCL Question, Interesting...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AD DSCL Question, Interesting...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 02:13 AM
Hey guys quick question thats blowing my brains up. I have a path to an Active Directory group but for some reason dscl does not see it. If I do
#!/bin/sh
dscl . -read /Active Directory/DOMAIN/All Domains/The group is simply not there. Now if I go into the Directory Utility and I scroll to the same directory above and do a search I find the group. The AppleMetaNodeLocation is in a place dscl doesn't see. Is there another way to grab this data? I am writing a script to grant rights based on membership and my current script, which is working well, depends on dscl grabbing the info.
Any help is appreciated I have just about everything information wise in the Directory Utility.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 03:06 AM
Hi Matt,
The dot specifies the local domain; try "dscl localhost -list /" instead of "dscl . -list /".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 04:51 AM
Hi,
I specify the domain path before the -read i.e.
/usr/bin/dscl "/Active Directory/DOMAIN/All Domains" -read . RealName
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 05:30 AM
Ive done it with the dot, without, forwards, and backwards. Im getting results from AD they just arent the same.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 05:44 AM
Taking a step back, what happens if you go into interactive mode and try to cd to the directory and then type read?
# dscl
Entering interactive mode... (type "help" for commands)
> cd Active Directory/DOMAIN/All Domains/
/Active Directory/DOMAIN/All Domains > read
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-29-2016 08:04 AM
You want the list command not read for this.
The read command reads the properties of whatever you've specified. You've specified "All Domains", which really won't tell you much.
My NetBIOS domain is TALKINGMOOSE, so to get a list of NetBIOS domains, try this:
dscl "/Active Directory/" -read / SubNodes
SubNodes: TALKINGMOOSETo read deeper in the structure, you need to first verify whether you've selected "Allow authentication from any domain in the forest". Check this in Directory Utility found in /System/Library/CoreServices/Applications". Double-click the Active Directory service and look under the Administrative tab.
If that option is enabled, you'll need to append "All Domains" to the path for your searches:
"/Active Directory/TALKINGMOOSE/All Domains/"If that option is not enabled, you'll need to append the specific name of your Active Directory domain to the path for your searches:
"/Active Directory/TALKINGMOOSE/talkingmoose.pvt/"Knowing, the correct path, you can now list groups:
dscl "/Active Directory/TALKINGMOOSE/talkingmoose.pvt/" -list /Groups
...
TALKINGMOOSEDomain Admins
TALKINGMOOSEDomain Computers
TALKINGMOOSEDomain Controllers
TALKINGMOOSEDomain Guests
TALKINGMOOSEDomain Users
TALKINGMOOSEEnterprise Admins
...Or you can read the properties of a specific Group:
dscl "/Active Directory/TALKINGMOOSE/talkingmoose.pvt/" -read "/Groups/Domain Admins"
...
dsAttrTypeNative:adminCount: 1
dsAttrTypeNative:distinguishedName:
CN=Domain Admins,CN=Users,DC=talkingmoose,DC=pvt
dsAttrTypeNative:dSCorePropagationData: 20150823042856.0Z 20150823041346.0Z 16010101000416.0Z
dsAttrTypeNative:groupType: -2147483646
dsAttrTypeNative:instanceType: 4
dsAttrTypeNative:isCriticalSystemObject: TRUE
dsAttrTypeNative:member: CN=Administrator,CN=Users,DC=talkingmoose,DC=pvt
dsAttrTypeNative:memberOf:
CN=Denied RODC Password Replication Group,CN=Users,DC=talkingmoose,DC=pvt
CN=Administrators,CN=Builtin,DC=talkingmoose,DC=pvt
dsAttrTypeNative:name:
Domain Admins
...If you're interested in AD accounts then use "/Users" instead of "/Groups". Likewise, if you're interested in AD computers then use "/Computers".
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2021 07:35 AM
dscl "/Active Directory/DOMAIN_NAME/All Domains/" -list /Groups
Returns only 1000 groups, how to get more
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2021 08:09 PM
@user-cJqBbrGZzs dscl (and other AD tools on macOS) are limited to 1000 records, as you've found. You'll need to use other tools to do lookups that large. I don't know offhand which tools do not have this limitation, but I would try ldapsearch.
