Jamf Nation Community

dmitchell · ‎07-24-2017

I need to add an AD security group to all of our Macs. I know it can be done with Directory Bindings but the Macs are already bound to the domain. Is there another way I can push out a security group to these Macs?

alexjdale · ‎07-24-2017

What do you mean by add a security group? You can run dsconfigad to give a group admin rights, if that is what you want. It doesn't have to be run at the time the system is bound, it can be added later.

dmitchell · ‎07-24-2017

@alexjdale We have a group of Techs that need to be administrators on a Mac. A lot of our Macs are missing this and I want to use a policy or configuration profile to essentially push an AD group to all the Macs.

hkabik · ‎07-24-2017

dsconfigad -groups "DOMAINAD GROUP"

sburt · ‎07-24-2017

You can do so, the problem is that it requires AD Admin creds in order to run. These credentials shouldn't be stored within a script, so if you were to do this you would need to create a Jamf Buddy prompt for credentials that could be passed to a variable. This page has some options, but I haven't gotten around to creating and posting a solution that doesn't store credentials in plain text:

https://www.jamf.com/jamf-nation/discussions/9742/active-directory-add-computer-name-to-security-group-after-ad-bind

hkabik · ‎07-24-2017

There's no reason this should require AD admin creds to run. You're just making a change to the local dsconfigad settings, local admin is all that is necessary. The bind itself isn't being touched, so no need for domain access.

sburt · ‎07-24-2017

I missed OP's follow-up that this was for local admin. That is correct, local admin is all that is necessary. My answer was regarding adding Mac Computer Objects to AD Security Groups.

Jamf Nation Community

Adding AD security groups via policy