Jamf Nation Community

Cem · ‎02-04-2011

Hello all,

I know it is Administrators' nightmare to give admin rights to
Users....but here we are dealing with adults and we attend to give admin
rights to people, if there is a business justification for it.

One of the engineers sent this command to a Mac (I believe via ARD).
dscl . -append /Groups/admin GroupMembership username

...and now all accounts turn in to standard including hidden admin account
and Casper ssh account (these accounts are in /private/var). Also account
in /Users/username still a standard account too (that was the dscl command
meant to target).

Any ideas why did this happened? Or anyone has seen this before?

We are using Casper v7.31 and client Mac has MacOS X 10.6.5

This concerns me because, I am planning to use this script (see first
script below) through Casper Remote and it uses the same command (see the
last line of the first script)

I have tweaked one of the Casper Resources Kit script, so Service Desk can
use it with ease by just selecting the Mac then the script and adding the
User's name in variable 1. This way they can give and take admin rights
on/off. (I have also added the reverse script at the bottom - script 2)

Even though I have tested this scripts dozens of times with success, I am
not sure this command/s will break the admin group 80 ??? Perhaps I should
be looking at alternative!?
I just don't want to break things, so your input is welcome.

Cheers
Cem

1st script: to give admin rights to specific user (use with Casper
Remote.app)

#!/bin/sh
# ABOUT THIS PROGRAM
#
# NAME
# GiveAdminRightsToUser.sh -- Add User to Administrative Group.
#
# SYNOPSIS
# sudo GiveAdminRightsToUser.sh
# sudo GiveAdminRightsToUser.sh <mountPoint> <computerName>
<currentUsername> <AdminUser>
#
# If the $AdminUser parameter is specified (parameter 4), this is the User
# that will be assigned administrative privileges on the target machine.
#
# Example values: AdminUser=""AdminUser1"
#
# If no parameter is specified for parameter 4, the hardcoded value in
the script will be used.
#
# DESCRIPTION
# This script will add the User that will have administrative access on
the machine.
# This script should be run after a machine has been bound to Active
Directory.
# Run it "at reboot" if you are using with Casper Imaging.
#
# The <timeout> value can be used with a hardcoded value in the script, or
read in as a parameter.
# Since the Casper Suite defines the first three parameters as (1) Mount
Point, (2) Computer
# Name and (3) username, we are using the fourth parameter ($4) as the
passable parameter.
#
###########################################################################
#########################
#
# HISTORY
#
# Version: 1
#
# - Created by Cem Baykara on January 31st, 2011 (tweaked Casper Resources
Kit script)
#
#
###########################################################################
#########################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
###########################################################################
#########################

# HARDCODED VALUE FOR "AdminUser" IS SET HERE
AdminUser=""

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO
"AdminUser"
if [ "$4" != "" ] && [ "$AdminUser" == "" ]; then AdminUser=$4
fi

###########################################################################
#########################
# # SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
###########################################################################
#########################

if [ "$AdminUser" == "" ]; then echo "Error: No AdminUser is specified." exit 1
fi

echo "Giving User the admin priviliges..."

fi

echo "Giving User the admin priviliges..."
dscl . -append /Groups/admin GroupMembership "$AdminUser"

Cem · ‎02-05-2011

Here are the corrected scripts with dseditgroup command instead of dscl
(tested few times in AD environment but I advise do your own testing
too)...incase if anyone wants it (WARNING: it is not encouraged to give
Users admin rights)

1st script: to give admin rights to specific user (just type User name in
variable 4 - use with Casper Remote.app and/or Caper Imaging.app)

#!/bin/sh
# ABOUT THIS PROGRAM
#
# NAME
# GiveAdminRightsToUser.sh -- Add User to Administrative Group.
#
# SYNOPSIS
# sudo GiveAdminRightsToUser.sh
# sudo GiveAdminRightsToUser.sh <mountPoint> <computerName>
<currentUsername> <AdminUser>
#
# If the $AdminUser parameter is specified (parameter 4), this is the
User
# that will be assigned administrative privileges on the target machine.
#
# Example values: AdminUser=""AdminUser1"
#
# If no parameter is specified for parameter 4, the hardcoded value in
the script will be used.
#
# DESCRIPTION
# This script will add the User that will have administrative access on
the machine.
# This script should be run after a machine has been bound to Active
Directory.
# Run it "at reboot" if you are using with Casper Imaging.
#
# The <timeout> value can be used with a hardcoded value in the script,
or read in as a parameter.
# Since the Casper Suite defines the first three parameters as (1)
Mount Point, (2) Computer
# Name and (3) username, we are using the fourth parameter ($4) as the
passable parameter.
#
###########################################################################
#########################
#
# HISTORY
#
# Version: 1
#
# - Created by Cem Baykara on January 31st, 2011
# (tweaked Casper ResourcesKit script)
#
#
###########################################################################
#########################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
###########################################################################
#########################

# HARDCODED VALUE FOR "AdminUser" IS SET HERE
AdminUser=""

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO
"AdminUser"
if [ "$4" != "" ] && [ "$AdminUser" == "" ]; then AdminUser=$4
fi

###########################################################################
#########################
# # SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
###########################################################################
#########################

if [ "$AdminUser" == "" ]; then echo "Error: No AdminUser is specified." exit 1
fi

echo "Giving User the admin priviliges..."
/usr/sbin/dseditgroup -o edit -a "$AdminUser" -t user admin

View solution in original post

Cem · ‎02-04-2011

Hi Armin,
Wow that is great, thank you for taking time to explaining in detail.
Our Macs are bound to AD and it all make sense... dseditgroup it is then.

Sent from my iPhone

Cem · ‎02-04-2011

Yep you're right. I am closing the shop :)

Sent from my iPad

On 4 Feb 2011, at 19:19, "Thomas Larkin" <tlarki at kckps.org<mailto:tlarki at kckps.org>> wrote:

Then get off the Capser list and enjoy your 3 day weekend! :)

tlarkin · ‎02-04-2011

Can you post the full commnand you ran? Did you loop through all users to modify the group membership?

Cem · ‎02-04-2011

Here is the full command that broke the admin privileges.
dscl . -append /Groups/admin GroupMembership username

Did you loop through all users to modify the group membership?
Nope

tlarkin · ‎02-04-2011

OK, looking at that script, I think there is a better way to approach this. All of your hidden accounts should have a UID value less than 500. So going off that we can generate a list of users that have UID greater than 500, which will be every non admin non hidden user.

#!/bin/bash

#grab all users with UID over 500

UserList=dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'

# loop through our greater than UID 500 user list and add admin rights

for u in $UserList ; do

dscl . append /Groups/admin GroupMembership $u

done exit 0

To reverse it just change append to delete

Cem · ‎02-04-2011

Sure but this will be given to all users in /Users admin rights? I just want to give admin rights to 1 specific user…
Also why the command broke the admin group?

tlarkin · ‎02-04-2011

Adding a single user should not remove all users from the admin group. My guess is something happened along these lines:

1 - BSD database corruption, rare but happens 2- When you removed the user from the admin group, an improper syntax
was used like - dscl . delete /Groups/admin

Those are my two best guesses as to why that would happen. I have
never seen it.

Cem · ‎02-04-2011

Hmmm that was a fresh re-build Mac…can BSD corruption happen on fresh OS? Perhaps command kicked in while the indexing was happening…but will these combined together can cause this issue I wonder?

Report Inappropriate Content · ‎02-04-2011

You should always use dseditgroup rather than dscl to edit group memberships:

dseditgroup -o edit -a username -t user admin

(see man page for more examples)

Armin

Report Inappropriate Content · ‎02-04-2011

Cem,

Question for you:

Does the admin group still exist on the system, with all the users removed
from it? Or is the group itself gone completely?

E.g.

dscl . -list /Groups | grep "admin"

should come back with _lpadmin and admin. We've seen a couple of
instances in our environment where the admin group has gone AWOL, but
never been able to track it down. We've always re-imaged rather than try
to reassemble Humpty Dumpty. There's a thread from back on 18 Oct 2010
where someone mentions Apple pointing the finger at antivirus software
whacking the local directory service database. You might try looking in
that direction.

-Charlie

-------------------------------------
Charlie Smith
Desktop Engineer
Information Services Department (ISD)
MIT Lincoln Laboratory
244 Wood St. Lexington, MA 02420
Phone: 781.981.0854
E-mail: charlie.smith at ll.mit.edu
-------------------------------------

Cem · ‎02-04-2011

Yep that rings a bell.
Unfortunately engineer must have rebuild the mac by now (I am actually off today)

Sent from my iPhone

Cem · ‎02-04-2011

Thanks for the advice but I would like to know the reason why dseditgroup not dscl?

Sent from my iPhone

tlarkin · ‎02-04-2011

Then get off the Capser list and enjoy your 3 day weekend! :)

Report Inappropriate Content · ‎02-04-2011

Cem

Because it abstracts you from the underlying Directory which may use a different method of storing and determining group membership depending on type (local DS, OD, AD)

see this local group listing in dscl:

rhea:~ armin$ dscl . read /Groups/admin
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000 20EE5CE3-D290-4E38-ACA1-D58F70A96D68 16508AD2-5317-416F-87DD-3571756DE26E
GroupMembership: root armin labadmin
Password: *
PrimaryGroupID: 80
RealName: Administrators
RecordName: admin
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-32-544

You see that the local DS stores group membership by shortname in GroupMembership and by the GUID in GroupMembers. I think the GUID is canonical, but if these two get out of sync, weird things will happen (as you have seen). I think OD uses the same fields, but don't have one around to test right now.

Oh, and you can have NestedGroups as well. Also the user's PrimaryGroupID can determine group membership:

rhea:~ armin$ dscl . read /Groups/staff
AppleMetaNodeLocation: /Local/Default
GeneratedUID: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000014
GroupMembers: FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000
GroupMembership: root
Password: *
PrimaryGroupID: 20
RealName: Staff
RecordName: staff
RecordType: dsRecTypeStandard:Groups
SMBSID: S-1-5-32-545

rhea:~ armin$ dseditgroup -o checkmember -m armin staff
yes armin is a member of staff

(even though there is no mention of the armin account or GUID in the staff group).

And Active Directory and the AD plug-in determine group membership differently. And of course you can nest AD groups in OD groups or local groups or vice versa.

Summary: groups and group membership are much more complicated than they initially seem. Do not try to mess with them directly. Use dseditgroup (it's been with us since 10.4, with slight changes, but scripts should be fairly compatible)

<http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/dseditgroup.8.html>

PS: In Snow Leopard it will work for ComputerGroups as well.

Armin

PPS: the only thing that dseditgroup does not do is list all available groups. You have to use "dscl /Search list Groups" for that. Though "dseditgroup <groupname>" can be used to determine if a group exists.

Cem · ‎02-05-2011

Here are the corrected scripts with dseditgroup command instead of dscl
(tested few times in AD environment but I advise do your own testing
too)...incase if anyone wants it (WARNING: it is not encouraged to give
Users admin rights)

1st script: to give admin rights to specific user (just type User name in
variable 4 - use with Casper Remote.app and/or Caper Imaging.app)

#!/bin/sh
# ABOUT THIS PROGRAM
#
# NAME
# GiveAdminRightsToUser.sh -- Add User to Administrative Group.
#
# SYNOPSIS
# sudo GiveAdminRightsToUser.sh
# sudo GiveAdminRightsToUser.sh <mountPoint> <computerName>
<currentUsername> <AdminUser>
#
# If the $AdminUser parameter is specified (parameter 4), this is the
User
# that will be assigned administrative privileges on the target machine.
#
# Example values: AdminUser=""AdminUser1"
#
# If no parameter is specified for parameter 4, the hardcoded value in
the script will be used.
#
# DESCRIPTION
# This script will add the User that will have administrative access on
the machine.
# This script should be run after a machine has been bound to Active
Directory.
# Run it "at reboot" if you are using with Casper Imaging.
#
# The <timeout> value can be used with a hardcoded value in the script,
or read in as a parameter.
# Since the Casper Suite defines the first three parameters as (1)
Mount Point, (2) Computer
# Name and (3) username, we are using the fourth parameter ($4) as the
passable parameter.
#
###########################################################################
#########################
#
# HISTORY
#
# Version: 1
#
# - Created by Cem Baykara on January 31st, 2011
# (tweaked Casper ResourcesKit script)
#
#
###########################################################################
#########################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
###########################################################################
#########################

# HARDCODED VALUE FOR "AdminUser" IS SET HERE
AdminUser=""

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO
"AdminUser"
if [ "$4" != "" ] && [ "$AdminUser" == "" ]; then AdminUser=$4
fi

###########################################################################
#########################
# # SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
###########################################################################
#########################

if [ "$AdminUser" == "" ]; then echo "Error: No AdminUser is specified." exit 1
fi

echo "Giving User the admin priviliges..."
/usr/sbin/dseditgroup -o edit -a "$AdminUser" -t user admin

Jamf Nation Community

Admin rights scripts for Casper Remote