Jamf Nation Community

I need this as well. I have local admins I'd like to move into a group thats not there so I can scope my smart card policy to all accounts and exclude that specific group. Has to be a way to do this from JSS.

Unfortunately from my musing the "users" functions in JAMF are an under developed after thought. You really just have basic account creation, deletion and password changes. Everything beyond that you have to figure out with scripts and the such.

As far as a Script dscl should be able to create a group and add a user to said group. These commands should creat the group, and append a user to the created group, a script could be built around this. as far as the JAMF side maybe an Extension Attribute to read this group membership and build rules about the smart group, not sure here.

sudo dscl . create /Groups/{Group_Name_Here}
sudo dscl . -append /groups/{Group_Name_Here} GroupMembership {User_Name_Here}

Maybe use a variable for the username and tie it to the JAMF Paramater for whoever is logged in to the computer, or script that separately and define it with a variable.

Unfortunately I've tried using dscl commands. It appears to create the group but it doesn't show up under Users and Groups like if you did it from the sys pref gui.. It also doesn't show the members as being part of the group unless you go through the gui under users and groups and add the group and manually check the users.. So if I run something like dscacheutil -q group -a name test to verify the users are there, no dice. I haven't found a script or anyone doing this. Seems like someone out there should have a script that does this successfully so you don't have to manually create groups for users...

I would suggest not using -append with dscl to add a user to a group. The append command, if run more than once keeps adding those users into the group, so you can end up with multiple entries for the same person in the group if you're not careful and makes it messy to clean up at a later time.
The more Apple supported way to add/change group membership is with dseditgroup

For example:

dseditgroup -o edit -a username -t user groupname

The above adds username to the group groupname. Obviously use real values in the above when running it. As far as I know, both username and groupname would need to exist for the above to work.
While I'm at it, dseditgroup can create groups too, so I would take a look at the manpage for it to see what's possible with it. Here's an example of what it shows in the manpage for creating a new group.

dseditgroup -o create -n /LDAPv3/ldap.company.com -u myusername -P
              mypassword -r "Extra Group" -c "a nice comment" -s 3600 -k "some
              keyword" extragroup

                    The group extragroup is created from the node
                    /LDAPv3/ldap.company.com with the realname, comment,
                    timetolive (instead of default of 14400 = 4 hours), and
                    keyword atttribute values given above if the user
                    myusername has supplied a correct password and has write
                    access.

@bobdole01 FWIW, adding a group with dseditgroup does show the group in the Users & Groups preference pane, and any accounts added to that group also show up when selecting that group, at least with Catalina. I still have to try it on Big Sur, but unless there's some significant difference or a bug, it should work there too.