Jamf Nation Community

using bash, haven't tried it anything other than 10.9.2

This is what I'm using to add our helpdesk staff and our windows admins in their. I have ran this script on 150 MAC's so far with no issues whatsoever.

#!/bin/sh
####################################################################################################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's Resource Kit team. For more
# information or support for the Resource Kit, please utilize the following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
# changeADAdminGroups.sh -- Change the AD Administrative Groups.
#
# SYNOPSIS
# sudo changeADAdminGroups.sh
# sudo changeADAdminGroups.sh <mountPoint> <computerName> <currentUsername> <groups>
#
# If the $groups parameter is specified (parameter 4), this is the list of Active Directory groups
# that will be assigned administrative privileges on the target machine.
#
# Example values: groups=""group1,group2,..."
#
# If no parameter is specified for parameter 4, the hardcoded value in the script will be used.
#
# DESCRIPTION
# This script will modify the groups from an Active Directory domain controller that will have # administrative access on the machine. This script should be run after a machine has been
# bound to Active Directory.
#
# The <timeout> value can be used with a hardcoded value in the script, or read in as a parameter.
# Since the Casper Suite defines the first three parameters as (1) Mount Point, (2) Computer
# Name and (3) username, we are using the fourth parameter ($4) as the passable parameter. #
####################################################################################################
#
# HISTORY
#
# Version: 1.1
#
# - Created by Nick Amundsen on April 15th, 2008
# - Modified by Nick Amundsen on August 1st, 2008
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################

# HARDCODED VALUE FOR "groups" IS SET HERE
groups="DomainGroup Name,DomainGroup Name,"

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "groups"
if [ "$4" != "" ] && [ "$groups" == "" ]; then groups=$4
fi

####################################################################################################
# # SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################

if [ "$groups" == "" ]; then echo "Error: No groups are specified." exit 1
fi

echo "Changing the Admin Groups setting in the Active Directory plugin..."
/usr/sbin/dsconfigad -groups "$groups"

You'll have to forgive me as I am on my home laptop and my work laptop is not turning on today again *by choice*. So this is not exact, but you will get the general idea.

What we've done though is to make nested groups inside of the admin group, and using the canonical number to ID them. While this is not in a human readable form, the user will not see that these are admins in the Directory Utility/AD section, but are visible/removable if you edit the local DS (either through Directory Utility or dsconfig).

We then have an EA that goes through and checks to make sure that that canonical number is in the nested groups of the admin group. If it isn't we just add it through a silent policy.

This also allows local admins to add their own admin groups to a machine through the AD configuration, and always leaves us a backdoor if they "accidentally" remove the main admin group. As long as the machine is still bound to AD we are all good.