I have been working on this issue for a while and can't seem to figure out a way to automate adding a computer object in Active Directory to a group that is also in Active Directory. We will soon be using 802.1x authentication over ethernet using machine certificates to authenticate, so I got everything in place to have machine certificates distributed via a Configuration Profile / MDM. This works fine once the computer object has been added to the AD group that has access to the machine certificate template on the CA. Unfortunately, there is a lot of paperwork required by my team to place the computer object into a group in Active Directory so I was hoping that I could automate this process.
My ideal solution would be to have this process automated during the load script while the machines were being imaged. The machines would be bound to Active Directory, give the DCs time to replicate, then use either dscl or dsgroupedit to place the computer object into the group. This is where I have been having trouble and was looking for some guidance. Here are the two commands that I have tried:
dsgroupedit -u (username) -P (password) -o edit -n /Active Directory/(domain)/(fqdn) -a (computername)$ -t computer (groupname)dscl -u (username) -P (password) localhost append /Active Directory/(domain)(fqdn)/groups/(groupname) GroupMembership (computername)$(I have also tried modifying members instead of GroupMembership).
These commands always fail and when I look at /var/log/opendirectory.log after turning on debug logging I always see an error saying "ldap - ODRecordAddValue failed with error 'Unknown record attribute type' (4200)"
Has anyone tried to do something similar with different results or does anyone have any suggestions? Thanks!
