Add an Active Directory group to an existing LDAP Configuration

New Contributor III


I currently have machines bound to AD with two AD security groups as admin groups. I'm trying to figure out how to add additional groups to the configurations remotely. I know i can run dsconfigad -group "DOMAINGROUPNAME,DOMAINGROUPNAME2", etc., but this seems to overwrite the existing one and prompt me for my credentials. Does anyone know how to add a group to an existing config using a JAMF policy? If I just make a new Directory Configuration in JAMF and push that to machines already bound, will it simply take over the existing configuration or fail and say that the machine is already bound.

Thank you,

Randy Shore


Contributor III

You will need to script this. First you need to first grab the groups currently listed then append your new groups to that. See the script I use below. Note I am doing this from memory so it may not be 100% accurate or the best way to do this:

currentGroups=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
dsconfigad -groups "$currentGroups,$newGroups"

You may also want to add some code to verify that you are currently bound to AD before modifying the groups. OR you could just scope a policy to run this script only on Macs bound to AD. This also doesn't check to see if GroupName1 or GroupName2 are already added so you may need to add code for that as well.