Skip to main content
Question

Local admin access to AD group using computername variable

  • September 30, 2016
  • 4 replies
  • 0 views

Forum|alt.badge.img+3

Hi,

I need some help creating a script that grants a AD group that contains the Computername with local admin rights.

All our windows clients got their own AD group which grants local admin rights to the computer.
I want to do the same thing for the mac clients.

The groups are called: SEC-computername-WSADMIN

Guess I need to use the dsconfigad -groups "xxxxxxxxx" command?
But what will the syntax be to use the $computername variable in the group name ?

4 replies

Forum|alt.badge.img+5
  • New Contributor
  • 30 replies
  • September 30, 2016

Here's the script I came up with for our environment; the policy is set to run at every login. I use the script parameters in the policy to define the groups I want to set as administrator ($4), lpadmin ($6), and what groups need to have admin rights removed ($5 and $7) if they were given admin rights at one time, but need to be removed later.

#!/bin/bash

user=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
admin=$(/usr/sbin/dseditgroup -o checkmember -m $user admin)
lpadmin=$(/usr/sbin/dseditgroup -o checkmember -m $user _lpadmin)
adminGroups=$4
adminExceptionGroups=$5
lpadminGroups=$6
lpadminExceptionGroups=$7

setAdmin () {
    for authorizedgroup in $1
        do
            if (id -Gn $user | grep -q $authorizedgroup)
            then
                echo "$user is a member of authorized group $authorizedgroup"
                echo "Adding $user to the $2 group…"
                /usr/sbin/dseditgroup -o edit -a $user -t user $2
                echo "exiting…"
                exit
            fi
        done
}

removeAdmin () {
    for exceptions in $1
        do
            if (id -Gn $user | grep -q $exceptions); then
                if [[ $2 == *"yes"* ]]; then
                    echo "$user is in the exceptions list, and has $3 rights. Removing rights..."
                    /usr/sbin/dseditgroup -o edit -d $user -t user $3
                    echo "exiting..."
                    exit
                fi
            fi
        done
}

groupCheck () {
    if (id -G $user | grep -q "$1")
    then
        echo "$user is already in the $2 group. exiting..."
        exit
    fi
}

echo "Version 3.3.1"
# Version notes 3.3.1
# Modified variables referencing dseditgroup to use the full path '/usr/sbin/dseditgroup'

# Iterates through the groups listed in the policy's Exception parameter ($5) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$adminExceptionGroups" "$admin" "admin"

# Checks to see if the user logging in is already in the Admin group.
groupCheck " 80 " "local admin"

# Iterates through the groups listed in the policy's adminAuthorizedGroups parameter ($4) to see if the user logging in is a member.
# If the user is a member the user gets added to the Admin group. If not, the script exits.
setAdmin "$adminGroups" "admin"

# Iterates through the groups listed in the policy's Exception parameter ($7) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$lpadminExceptionGroups" "$lpadmin" "_lpadmin"

# Checks to see if the user logging in is already in the _lpadmin group.
groupCheck " 98 " "_lpadmin"

# Iterates through the groups listed in the policy's lpadminAuthorizedGroups parameter ($6) to see if the user logging in is a member.
# If the user is a member the user gets added to the _lpadmin group. If not, the script exits.
setAdmin "$lpadminGroups" "_lpadmin"

echo "$user is not a member of any authorized groups. exiting…"

exit 0

Example of what I use in the script parameters to account for the groups:

DOMAIN\\Group_1 DOMAIN\\Group_2

Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 2 replies
  • October 1, 2016

Thanx!

1) Is it possible to use the $COMPUTERNAME variable as a script parameter to the script?

DOMAINGroup_1 DOMAINSEC-${COMPUTERNAME}-WSADMIN

2) Also.. admin and lpadmin - whats the difference on those two?


Forum|alt.badge.img+16
  • Valued Contributor
  • 277 replies
  • October 3, 2016

The group called "admin" is used for administrative access (security popups, default sudo access, etc.), while "lpadmin" grants access to manage printers and cups devices on the local machine.


Forum|alt.badge.img+5
  • New Contributor
  • 30 replies
  • October 3, 2016

The admin rights are going to be set to the user, not the computer, but you could change the script so that if the computer name matched the criteria you set then the user logging in could be given admin rights. Are you wanting to specify specific computers, a particular OU, or groups the computer is a member of?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings