I have been working on this issue for a while and can't seem to figure out a way to automate adding a computer object in Active Directory to a group that is also in Active Directory. We will soon be using 802.1x authentication over ethernet using machine certificates to authenticate, so I got everything in place to have machine certificates distributed via a Configuration Profile / MDM. This works fine once the computer object has been added to the AD group that has access to the machine certificate template on the CA. Unfortunately, there is a lot of paperwork required by my team to place the computer object into a group in Active Directory so I was hoping that I could automate this process.
My ideal solution would be to have this process automated during the load script while the machines were being imaged. The machines would be bound to Active Directory, give the DCs time to replicate, then use either dscl or dsgroupedit to place the computer object into the group. This is where I have been having trouble and was looking for some guidance. Here are the two commands that I have tried:
dsgroupedit -u (username) -P (password) -o edit -n /Active Directory/(domain)/(fqdn) -a (computername)$ -t computer (groupname)
dscl -u (username) -P (password) localhost append /Active Directory/(domain)(fqdn)/groups/(groupname) GroupMembership (computername)$
(I have also tried modifying members instead of GroupMembership).
These commands always fail and when I look at /var/log/opendirectory.log after turning on debug logging I always see an error saying "ldap - ODRecordAddValue failed with error 'Unknown record attribute type' (4200)"
Has anyone tried to do something similar with different results or does anyone have any suggestions? Thanks!
Solved! Go to Solution.
In our case in the in the AD bindings setting we have in the "Computer OU" the following:
As long as you have an Service Account that can bind computers to the AD, then you should be able to add a path similar to the above for the group you need.
So if you look at it logically it is:
Unfortunately the group is not a container. We already have the computers going into a "Macintosh" OU, but I'm looking to add machines in an entirely different group as well.
When I tried to add the machines into that group by specifying it as an OU dsconfigad gave me an error saying the specified container does not exist.