- Jamf Nation Community
- Products
- Jamf Pro
- Re: Local admin access to AD group using computern...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Local admin access to AD group using computername variable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β09-30-2016 02:29 PM
Hi,
I need some help creating a script that grants a AD group that contains the Computername with local admin rights.
All our windows clients got their own AD group which grants local admin rights to the computer.
I want to do the same thing for the mac clients.
The groups are called: SEC-computername-WSADMIN
Guess I need to use the dsconfigad -groups "xxxxxxxxx" command?
But what will the syntax be to use the $computername variable in the group name ?
Labels:
- Labels:
-
Settings and Security Management
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β09-30-2016 03:19 PM
Here's the script I came up with for our environment; the policy is set to run at every login. I use the script parameters in the policy to define the groups I want to set as administrator ($4), lpadmin ($6), and what groups need to have admin rights removed ($5 and $7) if they were given admin rights at one time, but need to be removed later.
#!/bin/bash
user=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
admin=$(/usr/sbin/dseditgroup -o checkmember -m $user admin)
lpadmin=$(/usr/sbin/dseditgroup -o checkmember -m $user _lpadmin)
adminGroups=$4
adminExceptionGroups=$5
lpadminGroups=$6
lpadminExceptionGroups=$7
setAdmin () {
for authorizedgroup in $1
do
if (id -Gn $user | grep -q $authorizedgroup)
then
echo "$user is a member of authorized group $authorizedgroup"
echo "Adding $user to the $2 groupβ¦"
/usr/sbin/dseditgroup -o edit -a $user -t user $2
echo "exitingβ¦"
exit
fi
done
}
removeAdmin () {
for exceptions in $1
do
if (id -Gn $user | grep -q $exceptions); then
if [[ $2 == *"yes"* ]]; then
echo "$user is in the exceptions list, and has $3 rights. Removing rights..."
/usr/sbin/dseditgroup -o edit -d $user -t user $3
echo "exiting..."
exit
fi
fi
done
}
groupCheck () {
if (id -G $user | grep -q "$1")
then
echo "$user is already in the $2 group. exiting..."
exit
fi
}
echo "Version 3.3.1"
# Version notes 3.3.1
# Modified variables referencing dseditgroup to use the full path '/usr/sbin/dseditgroup'
# Iterates through the groups listed in the policy's Exception parameter ($5) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$adminExceptionGroups" "$admin" "admin"
# Checks to see if the user logging in is already in the Admin group.
groupCheck " 80 " "local admin"
# Iterates through the groups listed in the policy's adminAuthorizedGroups parameter ($4) to see if the user logging in is a member.
# If the user is a member the user gets added to the Admin group. If not, the script exits.
setAdmin "$adminGroups" "admin"
# Iterates through the groups listed in the policy's Exception parameter ($7) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$lpadminExceptionGroups" "$lpadmin" "_lpadmin"
# Checks to see if the user logging in is already in the _lpadmin group.
groupCheck " 98 " "_lpadmin"
# Iterates through the groups listed in the policy's lpadminAuthorizedGroups parameter ($6) to see if the user logging in is a member.
# If the user is a member the user gets added to the _lpadmin group. If not, the script exits.
setAdmin "$lpadminGroups" "_lpadmin"
echo "$user is not a member of any authorized groups. exitingβ¦"
exit 0Example of what I use in the script parameters to account for the groups:
DOMAIN\Group_1 DOMAIN\Group_2Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β10-01-2016 12:31 AM
Thanx!
1) Is it possible to use the $COMPUTERNAME variable as a script parameter to the script?
DOMAINGroup_1 DOMAINSEC-${COMPUTERNAME}-WSADMIN
2) Also.. admin and lpadmin - whats the difference on those two?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β10-03-2016 06:49 AM
The group called "admin" is used for administrative access (security popups, default sudo access, etc.), while "lpadmin" grants access to manage printers and cups devices on the local machine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β10-03-2016 11:19 AM
The admin rights are going to be set to the user, not the computer, but you could change the script so that if the computer name matched the criteria you set then the user logging in could be given admin rights. Are you wanting to specify specific computers, a particular OU, or groups the computer is a member of?
