Local admin access to AD group using computername variable

thsandbe
New Contributor

Hi,

I need some help creating a script that grants a AD group that contains the Computername with local admin rights.

All our windows clients got their own AD group which grants local admin rights to the computer.
I want to do the same thing for the mac clients.

The groups are called: SEC-computername-WSADMIN

Guess I need to use the dsconfigad -groups "xxxxxxxxx" command?
But what will the syntax be to use the $computername variable in the group name ?

4 REPLIES 4

mcooper
New Contributor III

Here's the script I came up with for our environment; the policy is set to run at every login. I use the script parameters in the policy to define the groups I want to set as administrator ($4), lpadmin ($6), and what groups need to have admin rights removed ($5 and $7) if they were given admin rights at one time, but need to be removed later.

#!/bin/bash

user=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
admin=$(/usr/sbin/dseditgroup -o checkmember -m $user admin)
lpadmin=$(/usr/sbin/dseditgroup -o checkmember -m $user _lpadmin)
adminGroups=$4
adminExceptionGroups=$5
lpadminGroups=$6
lpadminExceptionGroups=$7

setAdmin () {
    for authorizedgroup in $1
        do
            if (id -Gn $user | grep -q $authorizedgroup)
            then
                echo "$user is a member of authorized group $authorizedgroup"
                echo "Adding $user to the $2 group…"
                /usr/sbin/dseditgroup -o edit -a $user -t user $2
                echo "exiting…"
                exit
            fi
        done
}

removeAdmin () {
    for exceptions in $1
        do
            if (id -Gn $user | grep -q $exceptions); then
                if [[ $2 == *"yes"* ]]; then
                    echo "$user is in the exceptions list, and has $3 rights. Removing rights..."
                    /usr/sbin/dseditgroup -o edit -d $user -t user $3
                    echo "exiting..."
                    exit
                fi
            fi
        done
}

groupCheck () {
    if (id -G $user | grep -q "$1")
    then
        echo "$user is already in the $2 group. exiting..."
        exit
    fi
}

echo "Version 3.3.1"
# Version notes 3.3.1
# Modified variables referencing dseditgroup to use the full path '/usr/sbin/dseditgroup'

# Iterates through the groups listed in the policy's Exception parameter ($5) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$adminExceptionGroups" "$admin" "admin"

# Checks to see if the user logging in is already in the Admin group.
groupCheck " 80 " "local admin"

# Iterates through the groups listed in the policy's adminAuthorizedGroups parameter ($4) to see if the user logging in is a member.
# If the user is a member the user gets added to the Admin group. If not, the script exits.
setAdmin "$adminGroups" "admin"

# Iterates through the groups listed in the policy's Exception parameter ($7) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$lpadminExceptionGroups" "$lpadmin" "_lpadmin"

# Checks to see if the user logging in is already in the _lpadmin group.
groupCheck " 98 " "_lpadmin"

# Iterates through the groups listed in the policy's lpadminAuthorizedGroups parameter ($6) to see if the user logging in is a member.
# If the user is a member the user gets added to the _lpadmin group. If not, the script exits.
setAdmin "$lpadminGroups" "_lpadmin"

echo "$user is not a member of any authorized groups. exiting…"

exit 0

Example of what I use in the script parameters to account for the groups:

DOMAIN\Group_1 DOMAIN\Group_2

thsandbe
New Contributor

Thanx!

1) Is it possible to use the $COMPUTERNAME variable as a script parameter to the script?

DOMAINGroup_1 DOMAINSEC-${COMPUTERNAME}-WSADMIN

2) Also.. admin and lpadmin - whats the difference on those two?

bvrooman
Valued Contributor

The group called "admin" is used for administrative access (security popups, default sudo access, etc.), while "lpadmin" grants access to manage printers and cups devices on the local machine.

mcooper
New Contributor III

The admin rights are going to be set to the user, not the computer, but you could change the script so that if the computer name matched the criteria you set then the user logging in could be given admin rights. Are you wanting to specify specific computers, a particular OU, or groups the computer is a member of?