I haven't tested, but I would assume you just need to put quotes around the ${u} in the dseditgroup line, like this-

/usr/sbin/dseditgroup -o edit -a "${u}" -t user admin

I am pretty sure you cannot have spaces in short names in OS X. Although, I suppose I have never tried to have a space in a shortname. My guess is, perhaps the BIND plugin to eDir is not mapping the proper LDAP attribute to the user's actual shortname. Thus, it is failing? Of course this is totally a blind guess, so I could be wrong.

I haven't touched Novell in like 8+ years, but I do remember that non Windows systems had to authenticate with a Unix account setting in console one and/or eDir, which was a setting in eDir specifically for non Windows devices when trying to authenticate.

Plus spaces would break the awk command, since awk uses white space as a delimiter by default.

I would have thought that as well, but….

$sudo dscl . create /Users/my test

$ dscl . read /Users | grep "test"
$ my test

Seems you can have spaces in the short name. Of course I did not create a home directory with the above command. The "my test" account only exists in directory services at that point. No home folder, so maybe when getting to that point it won't allow for a home directory name with a space. Haven't tried that though.

The GUI doesn't allow for a space, FWIW. So I don't know what the above would do...

@tlarkin It lists the users all correct except the user with the space. It is only using the first word for the user with spaces.

mactest
staff
test (should be 'test teacher')

@Nick_Gooch - give the following a try. In quick tests this should print out the correct fields so you should get your full 2 field names as well as the ones that are only one field

dscl . list /Users UniqueID | awk '$2 > 500 {$(NF--)=""; print}'

You will still need to place quotes around the variable that contains the username in the commands that follow it though since you'll want to avoid having the space get in the way.

Here is what I tried. It still gives admin rights to the users with one name but not two. ```

!/bin/bash

generate local user account based on UID of greater than 1000, if multiple AD accounts exist this will grab all of them

userList=$(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 1000 {$(NF--)=""; print}')

for u in ${userList} ; do

/usr/sbin/dseditgroup -o edit -a "${u}" -t user admin

done

exit 0
```

Thanks for all the help so far.

I can't test anything right now, but try changing the line above from

for u in ${userList} ; do

to

for u in "${userList}" ; do

that might still not work, but again, I can't test anything just yet.

No dice.

I did get your script from this discussion https://jamfnation.jamfsoftware.com/discussion.html?id=8048 to work at login by changing the $3 to "$3". I would prefer it to not have to run at login since these are teacher's laptops and they rarely log out, if ever. But it does work, so if you guys still want to mess with it I will continue to test it. If not no worries and I will stick with your other script.

Thanks for all the help, as always.

Give this a shot, building arrays and working with array elements is a little more space tolerant. That said, by default, they don't contain spaces. So you may experience some "weirdness" with these accounts.

#!/bin/bash

userList=()
while read line; do
    [ -z "${line}" ] && continue
    userList+=("${line}")
done <<< "$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$NF > 1000 { $NF=""; print $0 }')"

for u in "${userList[@]}" ; do
    /usr/sbin/dseditgroup -o edit -a "${u}" -t user admin
done

Edit: Updated the awk command to print all but the last field.

I wrote this a while back. It might prove useful for you.
https://github.com/franton/Add-Users-as-Admin-JSS

I basically play around with BASH's internal field separator and do the whole array thing mentioned earlier. Be careful, this is an older version that doesn't work with Casper 9, but does with Casper 8.

#!/bin/bash

# Script to grab the authorised admin users and grant those rights to a target computer at logout.

# Author      : r.purves@arts.ac.uk

# Set up needed variables here

ethernet=$(ifconfig en0|grep ether|awk '{ print $2; }')
apiurl=`/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url`
apiuser='apiuser'
apipass=''

# Grab user info from extension attribute for target computer and process.

# Retrieve the computer record data from the JSS API

cmd="curl --silent --user ${apiuser}:${apipass} --request GET ${apiurl}JSSResource/computers/macaddress/${ethernet//:/.}"
hostinfo=$( ${cmd} )

# Reprogram IFS to treat commas as a newline

OIFS=$IFS
IFS=$','

# Now parse the data and get the usernames

adminusers=${hostinfo##*Admin Users</name><value>}
adminusers=${adminusers%%</value>*}

# Parse that variable into an array for easier processing

read -a array <<< "$adminusers"

# Set IFS back to normal

IFS=$OIFS

# Loop to check name(s) are present on the mac and process them into the admin group.   

for (( loop=0; loop<=${#array[@]}; loop++ ))
do

# Does specified user exist on the system in /Users? Loop round and if so place in admin group.

 for Account in `ls /Users`
 do

    if [[ $Account == ${array[$loop]} ]];
    then
       echo "adding "${array[$loop]}" to admin group"
       dscl . -merge /Groups/admin GroupMembership "${array[$loop]}"
    fi
 done

done

# Finished!

exit 0

Hi Everyone,

I was out of town for work all week so I did not have a lot of time to sit down and look at this until now. My thoughts are, first to check the LDAP attributes that are mapping to the shortname in the directory services plugin on the OS X side. This will be in your BIND settings. I don't know what problems you can encounter with having spaces in shortnames down the road, and I think it should be at least looked at. If, in your testing, you find that spaces don't break anything then you could move forward. I just have never used spaces in a shortname ever, so I don't know the larger impact of doing that.

The dseditgroup binary should have built in logic that it will not add the same user into the same group twice. I just tested this by adding my user to the admin group (this account is already in that group) and then I ran a check membership query with the dseditgroup binary against that group. My username was not listed twice. I don't think the binary gives you any verbose output to let you know a duplicate is found, it just rather does that silently. However, checking if the user exists is probably not a bad thing, but I think it is not needed.

Using for loops with the ls command is not a good practice. This is a bashism, or a limitation of the shell interpreter. If you use a for loop with ls, the strings it outputs it will treat white space as a new line. Meaning that a file with spaces in it will be treated as multiple files. I created a bunch of files in /tmp just now:

bash-3.2$ ls
file
**file with spaces**
**file with spaces 2**
**file with spaces 3**
file1
file2
spaces
with

Now if I do a for loop with ls, I get this output:

bash-3.2$ for i in $(ls /tmp)
> do
> echo $i
> done
file
file
with
spaces
file
with
spaces
2
file
with
spaces
3
file1
file2
spaces
with

So, ls will treat all those spaces as new files. Sure you can quote, and try other things as work around, but really using bash internals to solve this would be most ideal.

bash-3.2$ for i in /tmp/*
> do
> echo $i
> done
/tmp/file
/tmp/file with spaces
/tmp/file with spaces 2
/tmp/file with spaces 3
/tmp/file1
/tmp/file2
/tmp/spaces
/tmp/with

Now to look at the current issue of spaces in short names, I did some testing here:

from dscl list users output:

the user
the user2
tlarkin

So, it looks like when I create a user with dscl it allowed me to create a shortname with spaces. At fist I got a blank output, because creating a blank user record in dscl is not actually creating a user, so I had to manually create a UniqeID for those users I created, then this code worked:

$ dscl . list /Users UniqueID | awk '$2 > 500 {$(NF--)=""; print}'
aesopr 
bcrocker_ad 
test 
the user 
the user2 
tlarkin

Both of my users with spaces worked, well, they at least worked for output of the awk pipe to display them in standard out. So, I tried the dseditgroup:

sh-3.2# for u in $(dscl . list /Users UniqueID | awk '$2 > 500 {$(NF--)=""; print}'); do dseditgroup -o edit -a "${u}" -t user admin; done
Record was not found.
Record was not found.
Record was not found.
Record was not found.

In my original output I had 6 entries, when trying to take the output of the dscl query and looping it through dseditgroup I get 2 less entries and dseditgroup is telling me the user record is not found. Taking several example code from this thread and messing around with it, I think that dseditgroup cannot handle files with spaces in it, here is my test script:

borrowed code from @Josh_S][/url

#!/bin/bash
set -x
# test looping through shortnames with spaces

getUsers=()
while read line; do
[ -z "${line}" ] && continue
getUsers+=("${line}")
done <<< $(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 {$(NF--)=""; print}')

for u in ${getUsers[@]} ; do

dseditgroup -o checkmember -m "${u}" -t user staff

done

exit 0

Here is the output:

$ bash test_user_spaces.sh 
+ getUsers=()
++ /usr/bin/dscl . list /Users UniqueID
++ /usr/bin/awk '$2 > 500 {$(NF--)=""; print}'
+ read line
+ '[' -z 'aesopr bcrocker_ad test tlarkin user space' ']'
+ getUsers+=("${line}")
+ read line
+ for u in '${getUsers[@]}'
+ dseditgroup -o checkmember -m aesopr -t user staff
no aesopr is NOT a member of staff
+ for u in '${getUsers[@]}'
+ dseditgroup -o checkmember -m bcrocker_ad -t user staff
no bcrocker_ad is NOT a member of staff
+ for u in '${getUsers[@]}'
+ dseditgroup -o checkmember -m test -t user staff
yes test is a member of staff
+ for u in '${getUsers[@]}'
+ dseditgroup -o checkmember -m tlarkin -t user staff
yes tlarkin is a member of staff
+ for u in '${getUsers[@]}'
+ dseditgroup -o checkmember -m user -t user staff
Unable to find the user record
+ for u in '${getUsers[@]}'
+ dseditgroup -o checkmember -m space -t user staff
Unable to find the user record
+ exit 0

So, it is still trying to send 'user space' as two separate strings to dseditgroup. If I manually input a literal string into the dseditgroup command I get this:

$ dseditgroup -o checkmember -m 'user space' -t user staff
no user space is NOT a member of staff

The user is not a member of any group so it is working. The user just has a username and an UID, otherwise no other attribute is set. So, the output of that is correct.

So, I think to maybe see at the other possible issues here, can we get test output from your test account on this command?

dscl . read '/Users/test teacher'

I am just curious to what dscl will output from that. There could be another way to accomplish this, or maybe we might shed some light on something else we can fix.

Thanks,
tom

EDIT - I have not tried the code @franton posted where you use dscl to merge the array with the record in dscl versus dseditgroup. If I recall correctly, dseditgroup is the recommended method Apple suggests for doing these exact tasks. That could also be a work around.

The ONLY reason I do it that way, is that i've found dseditgroup can be problematic when passing info contained in string variables to it.

The ONLY reason I do it that way, is that i've found dseditgroup can be problematic when passing info contained in string variables to it.

Yeah I think that might be the problem here. I think that the dseditgroup binary automatically treats white space as a delimiter because short names probably should not have spaces in them. So, I could see why your solution fits. I am not trying to say you can't or shouldn't use dscl, but rather that dseditgroup was designed for this type of function.

Also, I did some clean up in between testing this out, so I had already deleted my first two user accounts with spaces and then created a third one with a different short name. I didn't want stale or incomplete user records on my test VM. So, that is why in my later examples I am parsing a different user account.

For testing purposes all I did was create the user account, and give it a UID, and I did nothing else.

Overall, I like the solutions posted here, I just think that having spaces in short names is going to have problems down the road, and that may be the root of the problem.

Thanks,
Tom

It looks like Mike's worked. I changed the 500 to 1000 as I only want network users but other then that it seems to be working. I haven't tested Josh's yet but I will.

Our users have been setup like this since I got here. Came across a few issues here and there but they seem to work for the most part. As far as the output for dscl . read '/Users/test teacher'

~ test teacher$ dscl . read '/Users/test teacher'
dsAttrTypeNative:_writers_hint:
 test teacher
dsAttrTypeNative:_writers_jpegphoto:
 test teacher
dsAttrTypeNative:_writers_LinkedIdentity:
 test teacher
dsAttrTypeNative:_writers_passwd:
 test teacher
dsAttrTypeNative:_writers_picture:
 test teacher
dsAttrTypeNative:_writers_realname:
 test teacher
dsAttrTypeNative:_writers_UserCertificate:
 test teacher
dsAttrTypeNative:account_instance: 4C3D7C65-54E0-44E4-81FD-10EBAE564DB5
dsAttrTypeNative:cached_auth_policy:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
    <data>
    </data>
</array>
</plist>

dsAttrTypeNative:original_realname:
 test teacher
dsAttrTypeNative:original_shell: /bin/bash
dsAttrTypeNative:preserved_attributes: dsAttrTypeStandard:RealName dsAttrTypeStandard:AuthenticationAuthority dsAttrTypeStandard:NFSHomeDirectory dsAttrTypeStandard:HomeDirectory dsAttrTypeStandard:UserShell dsAttrTypeStandard:Picture dsAttrTypeStandard:JPEGPhoto dsAttrTypeStandard:AppleMetaNodeLocation dsAttrTypeStandard:CreationTimestamp dsAttrTypeStandard:ModificationTimestamp dsAttrTypeStandard:PasswordPolicyOptions dsAttrTypeNative:ShadowHashData
AppleMetaNodeLocation: /Local/Default
AuthenticationAuthority:
 ;LocalCachedUser;/Kanaka/Auth:test teacher:11C87488-1546-4220-8486-8874C8114615
 ;ShadowHash;HASHLIST:<SALTED-SHA512-PBKDF2>
CopyTimestamp: 2014-07-15T19:41:33Z
FirstName: test
GeneratedUID: 11C87488-1546-4220-8486-8874C8114615
LastName: teacher
MCXFlags:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>has_mcx_settings</key>
    <true/>
    <key>simultaneous_login_enabled</key>
    <true/>
</dict>
</plist>

MCXSettings:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>mcx_application_data</key>
    <dict>
        <key>com.apple.MCX</key>
        <dict>
            <key>Forced</key>
            <array>
                <dict>
                    <key>mcx_preference_settings</key>
                    <dict>
                        <key>com.apple.cachedaccounts.CreateAtLogin</key>
                        <true/>
                        <key>com.apple.cachedaccounts.CreatePHDAtLogin</key>
                        <false/>
                        <key>com.apple.cachedaccounts.WarnOnCreate</key>
                        <false/>
                    </dict>
                </dict>
            </array>
        </dict>
        <key>com.apple.dock</key>
        <dict>
            <key>Forced</key>
            <array>
                <dict>
                    <key>mcx_preference_settings</key>
                    <dict>
                        <key>AppItems-Raw</key>
                        <array/>
                        <key>DocItems-Raw</key>
                        <array/>
                        <key>MCXDockSpecialFolders</key>
                        <array>
                            <string>AddDockMCXOriginalNetworkHomeFolder</string>
                        </array>
                        <key>contents-immutable</key>
                        <false/>
                        <key>static-only</key>
                        <false/>
                    </dict>
                    <key>mcx_union_policy_keys</key>
                    <array>
                        <dict>
                            <key>mcx_input_key_names</key>
                            <array>
                                <string>AppItems-Raw</string>
                            </array>
                            <key>mcx_output_key_name</key>
                            <string>static-apps</string>
                            <key>mcx_remove_duplicates</key>
                            <true/>
                        </dict>
                        <dict>
                            <key>mcx_input_key_names</key>
                            <array>
                                <string>DocItems-Raw</string>
                            </array>
                            <key>mcx_output_key_name</key>
                            <string>static-others</string>
                            <key>mcx_remove_duplicates</key>
                            <true/>
                        </dict>
                        <dict>
                            <key>mcx_input_key_names</key>
                            <array>
                                <string>MCXDockSpecialFolders-Raw</string>
                            </array>
                            <key>mcx_output_key_name</key>
                            <string>MCXDockSpecialFolders</string>
                            <key>mcx_remove_duplicates</key>
                            <true/>
                        </dict>
                    </array>
                </dict>
            </array>
        </dict>
        <key>com.apple.homeSync</key>
        <dict>
            <key>Forced</key>
            <array>
                <dict>
                    <key>mcx_preference_settings</key>
                    <dict>
                        <key>excludedPrefItems-managed</key>
                        <array>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Application Support/SyncServices</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Caches</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Logs</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Preferences/ByHost</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Safari/Icons</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>startsWith</string>
                                <key>value</key>
                                <string>Mac-</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>startsWith</string>
                                <key>value</key>
                                <string>IMAP-</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Preferences/com.apple.dock.plist</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Preferences/com.apple.iChatAgent.plist</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Preferences/com.apple.sidebarlists.plist</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Preferences/com.apple.systemuiserver.plist</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Preferences/loginwindow.plist</string>
                            </dict>
                            <dict>
                                <key>comparison</key>
                                <string>fullPath</string>
                                <key>value</key>
                                <string>~/Library/Printers</string>
                            </dict>
                        </array>
                        <key>periodicSyncOn</key>
                        <true/>
                        <key>replaceUserPrefSyncList</key>
                        <false/>
                        <key>syncPeriodSeconds</key>
                        <integer>14400</integer>
                        <key>syncedPrefFolders-managed</key>
                        <array/>
                    </dict>
                </dict>
            </array>
        </dict>
        <key>loginwindow</key>
        <dict>
            <key>Forced</key>
            <array>
                <dict>
                    <key>mcx_preference_settings</key>
                    <dict>
                        <key>AutoLaunchedApplicationDictionary-raw</key>
                        <array>
                            <dict>
                                <key>AuthenticateAsLoginUserShortName</key>
                                <true/>
                                <key>MCX-NetworkHomeDirectoryItem</key>
                                <true/>
                            </dict>
                        </array>
                        <key>DisableLoginItemsSuppression</key>
                        <false/>
                        <key>LoginUserMayAddItems</key>
                        <true/>
                    </dict>
                    <key>mcx_union_policy_keys</key>
                    <array>
                        <dict>
                            <key>mcx_input_key_names</key>
                            <array>
                                <string>AutoLaunchedApplicationDictionary-raw</string>
                            </array>
                            <key>mcx_output_key_name</key>
                            <string>AutoLaunchedApplicationDictionary-managed</string>
                            <key>mcx_remove_duplicates</key>
                            <true/>
                        </dict>
                    </array>
                </dict>
            </array>
        </dict>
    </dict>
</dict>
</plist>

NFSHomeDirectory:
 /Users/test teacher
OriginalAuthenticationAuthority: ;basic;
OriginalHomeDirectory:
 <home_dir><url>afp://servername</url><path>Home/test teacher</path></home_dir>
OriginalNFSHomeDirectory:
 /Network/Servers/servername/Home/test teacher
OriginalNodeName: /Kanaka/Auth
Password: 
PasswordPlus: 
PasswordPolicyOptions:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>failedLoginCount</key>
    <integer>0</integer>
    <key>failedLoginTimestamp</key>
    <date>2001-01-01T00:00:00Z</date>
    <key>lastLoginTimestamp</key>
    <date>2014-07-15T19:42:59Z</date>
    <key>passwordLastSetTime</key>
    <date>2014-07-15T19:42:59Z</date>
    <key>trackLastLogin</key>
    <integer>1</integer>
</dict>
</plist>

PrimaryGroupID: 20
RealName:
 test teacher
RealUserID:
 test teacher.server.org
RecordName:
 test teacher
RecordType: dsRecTypeStandard:Users
SMBSID: S-1-5-21-987654321-987654321-987654321-3762490044
UniqueID: 1881244522
UserShell: /bin/bash

Hi @Nick_Gooch

Thanks for posting that. It looks like you are mapping the same LDAP attribute for RealName and RecordName. Which is probably why you are getting the space in the short name. I would look at how the BIND to eDir maps this and possibly look at mapping Unix name (if I recall from my Novell days a long, long time ago) to get the proper short name.

When read the user record of my user account, I get this as my output:

RealName:
 Thomas Larkin
RecordName: tlarkin
RecordType: dsRecTypeStandard:Users
UniqueID: 501
UserShell: /bin/bash
tlark:~ tlarkin$

My RecordName is my short name, which is tlarkin, where as my RealName is my full name with spaces.

Glad it worked out, but I think the LDAP mapping is worth investigating.

Thanks,
Tom