Skip to main content
Solved

List All Active Directory Groups that a computer belongs to.

  • July 9, 2021
  • 3 replies
  • 15 views
BradLines
Forum|alt.badge.img+5

I need to make an extension attribute to check for a certain group on our AD. I can list all groups based on user but no luck basing it off computer name. Any ideas?

Best answer by BradLines

I got it working! its kinda rudimentary but it does the trick and easy to read for a non-bash scripter

#!/bin/bash

domainName=`echo show com.apple.opendirectoryd.ActiveDirectory |scutil | grep DomainNameFlat | awk '{print $3}'`
if [ $? -ne 0 ]
then
echo "Failed to get domain name, exiting script"
exit 1
fi

if [ -z $domainName ]
then
echo "Failed to get domain name, exiting script"
exit 1
fi

computerName=$(networksetup -getcomputername)
upn=`dscl "/Active Directory/$domainName/All Domains" read "/Groups/NameOfTheGroup" GroupMembership`

inGroup="no"
for u in $upn; do
if [[ "$u" == "$computerName" ]] ; then
inGroup="yes"
break
fi
done

echo "<result>$inGroup</result>"

3 replies

D
Forum|alt.badge.img+11
  • daniel_behan
  • Valued Contributor
  • July 14, 2021

I have one that lists the Group Membership of users.  The trick is the dscl lookup requires a $ sign appended to the end of the computer name.

 

#!/bin/sh computer=$( hostname ) Groups=$( dscl /Active\\ Directory/<domain>/All\\ Domains read /Computers/$computer$ dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' | xargs ) echo "<result>$Groups</result>"

 

    BradLines
    Forum|alt.badge.img+5
    • BradLines
    • Author
    • New Contributor
    • Answer
    • July 16, 2021

    I got it working! its kinda rudimentary but it does the trick and easy to read for a non-bash scripter

    #!/bin/bash

    domainName=`echo show com.apple.opendirectoryd.ActiveDirectory |scutil | grep DomainNameFlat | awk '{print $3}'`
    if [ $? -ne 0 ]
    then
    echo "Failed to get domain name, exiting script"
    exit 1
    fi

    if [ -z $domainName ]
    then
    echo "Failed to get domain name, exiting script"
    exit 1
    fi

    computerName=$(networksetup -getcomputername)
    upn=`dscl "/Active Directory/$domainName/All Domains" read "/Groups/NameOfTheGroup" GroupMembership`

    inGroup="no"
    for u in $upn; do
    if [[ "$u" == "$computerName" ]] ; then
    inGroup="yes"
    break
    fi
    done

    echo "<result>$inGroup</result>"

    BradLines
    Forum|alt.badge.img+5
    • BradLines
    • Author
    • New Contributor
    • July 16, 2021

    Also thanks Daniel, that script will come in handy

    Terms & ConditionsCookie settingsAccessibility statement