Skip to main content
Solved

Add a computer object to a group in Active Directory

  • September 11, 2013
  • 6 replies
  • 1 view

Forum|alt.badge.img+7

I have been working on this issue for a while and can't seem to figure out a way to automate adding a computer object in Active Directory to a group that is also in Active Directory. We will soon be using 802.1x authentication over ethernet using machine certificates to authenticate, so I got everything in place to have machine certificates distributed via a Configuration Profile / MDM. This works fine once the computer object has been added to the AD group that has access to the machine certificate template on the CA. Unfortunately, there is a lot of paperwork required by my team to place the computer object into a group in Active Directory so I was hoping that I could automate this process.

My ideal solution would be to have this process automated during the load script while the machines were being imaged. The machines would be bound to Active Directory, give the DCs time to replicate, then use either dscl or dsgroupedit to place the computer object into the group. This is where I have been having trouble and was looking for some guidance. Here are the two commands that I have tried:

dsgroupedit -u (username) -P (password) -o edit -n /Active Directory/(domain)/(fqdn) -a (computername)$ -t computer (groupname)
dscl -u (username) -P (password) localhost append /Active Directory/(domain)(fqdn)/groups/(groupname) GroupMembership (computername)$

(I have also tried modifying members instead of GroupMembership).

These commands always fail and when I look at /var/log/opendirectory.log after turning on debug logging I always see an error saying "ldap - ODRecordAddValue failed with error 'Unknown record attribute type' (4200)"

Has anyone tried to do something similar with different results or does anyone have any suggestions? Thanks!

Best answer by colonelpanic

For anyone else looking to accomplish the same thing, I found a tool called adtool that does exactly this! After writing to /usr/local/etc/adtool.cfg and setting all the variables the tool actually becomes very powerful.

View original
Did this topic help you find an answer to your question?

6 replies

Forum|alt.badge.img+11
  • Valued Contributor
  • 215 replies
  • September 12, 2013

Why not move the computers into the appropriate AD group as part of the AD Binding process?

We have been doing this for a while.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 82 replies
  • September 12, 2013

Howso?


Forum|alt.badge.img+11
  • Valued Contributor
  • 215 replies
  • September 12, 2013

In our case in the in the AD bindings setting we have in the "Computer OU" the following:

OU=Workstations-Mac,OU=Resources,OU=HIT,DC=utas,DC=ad,DC=internal

As long as you have an Service Account that can bind computers to the AD, then you should be able to add a path similar to the above for the group you need.
So if you look at it logically it is:
utas.ad.internal
---------HIT
-----------------Resources
------------------------------------Workstations-Mac


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 82 replies
  • September 12, 2013

Unfortunately the group is not a container. We already have the computers going into a "Macintosh" OU, but I'm looking to add machines in an entirely different group as well.

When I tried to add the machines into that group by specifying it as an OU dsconfigad gave me an error saying the specified container does not exist.


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 82 replies
  • September 16, 2013

Turns out Apple says it is not possible to do what I'd like to do:

http://support.apple.com/kb/HT4779

Does anyone know of any third party applications that might be able to do what I am trying to do?


Forum|alt.badge.img+7
  • Author
  • Contributor
  • 82 replies
  • Answer
  • September 17, 2013

For anyone else looking to accomplish the same thing, I found a tool called adtool that does exactly this! After writing to /usr/local/etc/adtool.cfg and setting all the variables the tool actually becomes very powerful.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings