Jamf Nation Community

j99mac · ‎05-15-2013

Do anyone know of a command that I can use to find the computer account of a bound mac to AD

I use this sudo dsconfigad -show but would like make a Extension Attribute to only show computer account.

Aaron · ‎05-15-2013

You could always do it through some BASH tomfoolery:

dsconfigad -show | grep Computer Account | cut -d'=' -f2 | tr -d ' '

j99mac · ‎05-16-2013

I am looking to make this info an Extension Attribute

MACHINE_NAME=/usr/sbin/dsconfigad -show | grep "Computer Account" | awk '{ print $4 }'
echo "<result>$lMACHINE_NAME</result>"

Would this work

luke_j_nelson · ‎05-16-2013

Here's what I came up with to get what groups a computer account is a member of:

#!/bin/sh

computer=`dsconfigad -show | grep 'Computer Account' | awk '{ print $4 }'`

groups=$( dscl /Active Directory/All Domains read /Computers/$computer dsAttrTypeNative:memberOf  )

echo "<result>$groups</result>"

You can just run ```
dscl /Active Directory/All Domains read /Computers/$computer
``` and that should pull the whole computer account.

If you get an error that All Domains is not a valid data source, run ```
dscl localhost -read /Active Directory
```
The data you need from this is the PrimaryNTDomain and dsAttrTypeNative:DomainName. In the extension attribute script, replace All Domains with PrimaryNTDomain/dsAttrTypeNative:DomainName

luke_j_nelson · ‎05-16-2013

Yeah, that should work, with the typo corrected in the result.

JPDyson · ‎05-16-2013

Try it :)

No seriously, the best way to craft your EA's is to run them as scripts on a test machine and see if you get back what you expect. As a general rule, I don't like taking the direct output of a shell command. If your machine isn't bound, for example, you'll get a blank response here which might be tough to distinguish from a machine that just hasn't run the EA yet. You might consider adding a condition that if the variable is empty, you return a result like "Not Bound".

Also, this is only going to work for the built-in AD plugin (as 3rd party AD tools add their own directory service and don't use the generic "Active Directory" service). If you're using Centrify or Thursby, you'll need to query using their tools.

mm2270 · ‎05-16-2013

Yeah, that should do it. But if you're going to use awk, you can just use awk's regex matching, like this, and you can also shorten it to one line-

#!/bin/sh

echo "<result>`/usr/sbin/dsconfigad -show | awk '/Computer Account/{print $NF}'`</result>"

j99mac · ‎05-16-2013

I looking to only show the computer account name and not the group

j99mac · ‎05-16-2013

I tryed running this a EA

#!/bin/sh
echo "<result>/usr/sbin/dsconfigad -show | awk '/Computer Account/{print $NF}'</result>"

Nothing not on results not showing up. Anyone try this

mm2270 · ‎05-16-2013

The you might need to have some conditional statements in there as JPDyson suggest, so it it turns up blank it returns something like "No result" or whatever.

Also, are you sure you ran a recon on one of your Macs after adding the EA in your JSS?

j99mac · ‎05-16-2013

I go it to work

alex_merenyi · ‎05-16-2013

I use the following:

#!/bin/sh

adname=`dsconfigad -show | grep "Computer Account"`
echo "<result> $adname </result>"

Which seems to work pretty well.

SeanA · ‎01-28-2015

Lovingly stolen from elsewhere on JAMF NATION:

echo "<result>`dsconfigad -show | awk '/Computer Account/{print $NF}' | tr '[a-z]' '[A-Z]' | sed 's/$$//'`</result>"

cbd4s · ‎01-09-2017

Thanks so much. Very helpful info.

This is probably impossible. Any chance this could be modified to also show nested groups: the computer is directly the member of group a, which is the member of group b?

Found this util dsgrouputil, which might be the way to go.

https://github.com/jatoben/dsgrouputil

Jamf Nation Community

EA for AD info