Posted on 01-22-2020 06:30 PM
Is there an option in JAMF Pro to create a new local group and then add an existing local user to that group? If not, does anyone have a script that would allow me to do this? Thanks in advance!
Posted on 10-22-2020 08:10 AM
Did you ever get an answer to this? I'm struggling with the same thing right now.
Posted on 12-30-2020 05:42 AM
I need this as well. I have local admins I'd like to move into a group thats not there so I can scope my smart card policy to all accounts and exclude that specific group. Has to be a way to do this from JSS.
Posted on 12-30-2020 06:30 AM
Unfortunately from my musing the "users" functions in JAMF are an under developed after thought. You really just have basic account creation, deletion and password changes. Everything beyond that you have to figure out with scripts and the such.
As far as a Script dscl should be able to create a group and add a user to said group. These commands should creat the group, and append a user to the created group, a script could be built around this. as far as the JAMF side maybe an Extension Attribute to read this group membership and build rules about the smart group, not sure here.
sudo dscl . create /Groups/{Group_Name_Here}
sudo dscl . -append /groups/{Group_Name_Here} GroupMembership {User_Name_Here}
Maybe use a variable for the username and tie it to the JAMF Paramater for whoever is logged in to the computer, or script that separately and define it with a variable.
Posted on 12-31-2020 06:51 AM
Unfortunately I've tried using dscl commands. It appears to create the group but it doesn't show up under Users and Groups like if you did it from the sys pref gui.. It also doesn't show the members as being part of the group unless you go through the gui under users and groups and add the group and manually check the users.. So if I run something like dscacheutil -q group -a name test to verify the users are there, no dice. I haven't found a script or anyone doing this. Seems like someone out there should have a script that does this successfully so you don't have to manually create groups for users...
Posted on 01-02-2021 11:20 AM
I would suggest not using -append
with dscl
to add a user to a group. The append command, if run more than once keeps adding those users into the group, so you can end up with multiple entries for the same person in the group if you're not careful and makes it messy to clean up at a later time.
The more Apple supported way to add/change group membership is with dseditgroup
For example:
dseditgroup -o edit -a username -t user groupname
The above adds username
to the group groupname
. Obviously use real values in the above when running it. As far as I know, both username
and groupname
would need to exist for the above to work.
While I'm at it, dseditgroup can create groups too, so I would take a look at the manpage for it to see what's possible with it. Here's an example of what it shows in the manpage for creating a new group.
dseditgroup -o create -n /LDAPv3/ldap.company.com -u myusername -P
mypassword -r "Extra Group" -c "a nice comment" -s 3600 -k "some
keyword" extragroup
The group extragroup is created from the node
/LDAPv3/ldap.company.com with the realname, comment,
timetolive (instead of default of 14400 = 4 hours), and
keyword atttribute values given above if the user
myusername has supplied a correct password and has write
access.
@bobdole01 FWIW, adding a group with dseditgroup does show the group in the Users & Groups preference pane, and any accounts added to that group also show up when selecting that group, at least with Catalina. I still have to try it on Big Sur, but unless there's some significant difference or a bug, it should work there too.