List All Active Directory Groups that a computer belongs to.

BradLines
New Contributor II

I need to make an extension attribute to check for a certain group on our AD. I can list all groups based on user but no luck basing it off computer name. Any ideas?

1 ACCEPTED SOLUTION

BradLines
New Contributor II

I got it working! its kinda rudimentary but it does the trick and easy to read for a non-bash scripter

#!/bin/bash

domainName=`echo show com.apple.opendirectoryd.ActiveDirectory |scutil | grep DomainNameFlat | awk '{print $3}'`
if [ $? -ne 0 ]
then
echo "Failed to get domain name, exiting script"
exit 1
fi

if [ -z $domainName ]
then
echo "Failed to get domain name, exiting script"
exit 1
fi

computerName=$(networksetup -getcomputername)
upn=`dscl "/Active Directory/$domainName/All Domains" read "/Groups/NameOfTheGroup" GroupMembership`

inGroup="no"
for u in $upn; do
if [[ "$u" == "$computerName" ]] ; then
inGroup="yes"
break
fi
done

echo "<result>$inGroup</result>"

View solution in original post

3 REPLIES 3

daniel_behan
Contributor III

I have one that lists the Group Membership of users.  The trick is the dscl lookup requires a $ sign appended to the end of the computer name.

 

#!/bin/sh

computer=$( hostname )

Groups=$( dscl /Active\ Directory/<domain>/All\ Domains read /Computers/$computer$ dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' | xargs )

echo "<result>$Groups</result>"

 

BradLines
New Contributor II

I got it working! its kinda rudimentary but it does the trick and easy to read for a non-bash scripter

#!/bin/bash

domainName=`echo show com.apple.opendirectoryd.ActiveDirectory |scutil | grep DomainNameFlat | awk '{print $3}'`
if [ $? -ne 0 ]
then
echo "Failed to get domain name, exiting script"
exit 1
fi

if [ -z $domainName ]
then
echo "Failed to get domain name, exiting script"
exit 1
fi

computerName=$(networksetup -getcomputername)
upn=`dscl "/Active Directory/$domainName/All Domains" read "/Groups/NameOfTheGroup" GroupMembership`

inGroup="no"
for u in $upn; do
if [[ "$u" == "$computerName" ]] ; then
inGroup="yes"
break
fi
done

echo "<result>$inGroup</result>"

BradLines
New Contributor II

Also thanks Daniel, that script will come in handy