Posted on 09-11-2013 12:58 PM
I have been working on this issue for a while and can't seem to figure out a way to automate adding a computer object in Active Directory to a group that is also in Active Directory. We will soon be using 802.1x authentication over ethernet using machine certificates to authenticate, so I got everything in place to have machine certificates distributed via a Configuration Profile / MDM. This works fine once the computer object has been added to the AD group that has access to the machine certificate template on the CA. Unfortunately, there is a lot of paperwork required by my team to place the computer object into a group in Active Directory so I was hoping that I could automate this process.
My ideal solution would be to have this process automated during the load script while the machines were being imaged. The machines would be bound to Active Directory, give the DCs time to replicate, then use either dscl or dsgroupedit to place the computer object into the group. This is where I have been having trouble and was looking for some guidance. Here are the two commands that I have tried:
dsgroupedit -u (username) -P (password) -o edit -n /Active Directory/(domain)/(fqdn) -a (computername)$ -t computer (groupname)
dscl -u (username) -P (password) localhost append /Active Directory/(domain)(fqdn)/groups/(groupname) GroupMembership (computername)$
(I have also tried modifying members instead of GroupMembership).
These commands always fail and when I look at /var/log/opendirectory.log after turning on debug logging I always see an error saying "ldap - ODRecordAddValue failed with error 'Unknown record attribute type' (4200)"
Has anyone tried to do something similar with different results or does anyone have any suggestions? Thanks!
Solved! Go to Solution.
Posted on 09-17-2013 05:32 AM
For anyone else looking to accomplish the same thing, I found a tool called adtool that does exactly this! After writing to /usr/local/etc/adtool.cfg and setting all the variables the tool actually becomes very powerful.
Posted on 09-11-2013 07:39 PM
Why not move the computers into the appropriate AD group as part of the AD Binding process?
We have been doing this for a while.
Posted on 09-11-2013 07:55 PM
Howso?
Posted on 09-11-2013 08:03 PM
In our case in the in the AD bindings setting we have in the "Computer OU" the following:
OU=Workstations-Mac,OU=Resources,OU=HIT,DC=utas,DC=ad,DC=internal
As long as you have an Service Account that can bind computers to the AD, then you should be able to add a path similar to the above for the group you need.
So if you look at it logically it is:
utas.ad.internal
---------HIT
-----------------Resources
------------------------------------Workstations-Mac
Posted on 09-12-2013 05:53 AM
Unfortunately the group is not a container. We already have the computers going into a "Macintosh" OU, but I'm looking to add machines in an entirely different group as well.
When I tried to add the machines into that group by specifying it as an OU dsconfigad gave me an error saying the specified container does not exist.
Posted on 09-16-2013 12:14 PM
Turns out Apple says it is not possible to do what I'd like to do:
http://support.apple.com/kb/HT4779
Does anyone know of any third party applications that might be able to do what I am trying to do?
Posted on 09-17-2013 05:32 AM
For anyone else looking to accomplish the same thing, I found a tool called adtool that does exactly this! After writing to /usr/local/etc/adtool.cfg and setting all the variables the tool actually becomes very powerful.