MAC OSX machine account and AD group Membership

giang
New Contributor II

do anyone have a script that will add AD Group Membership to OSX maxchine in AD. or a Apple script that will call a web service to addcomputergroup

9 REPLIES 9

davidacland
Honored Contributor II

Hi, not sure if I get the question, do you mean the OU the computer object is in or something else?

Josh_Smith
Valued Contributor

I think he's asking about making the AD computer account a member of an AD Security Group via a script.

It would be easy to find a powershell script for this (that would be my choice). There are python scripts but it looks like they leverage ADSI so they have to be run on Windows....I don't know of an all Mac way of doing it.

Apple suggests using windows: HT202269

davidacland
Honored Contributor II

If the Mac is bound to AD you might be able to do it with dseditgroup.

cindySingh
New Contributor III

This is simple to do via Bash. I had been doing since 2 years. May be this can help someone else as Im replying so late.

#!/bin/sh
MACHINE=$(scutil --get ComputerName | sed s'/$/$/')
# You need to add this dramatic $ sign. Its important.
CNMEMBER=$(dscl "/Active Directory/ALPS/alp.com/" -read /Computers/"${MACHINE}" dsAttrTypeNative:distinguishedName |awk 'NF>1' |xargs)
# Get the fun CN and refine the name.
dscl -u AdminUserNameonAD -P PassForThatAccount "/Active Directory/ALPS/alp.com/" -merge "/Groups/YourSecurityGroupName" member "$CNMEMBER"
# Now force the membership

Hope this helps!!

bmee
Contributor

@cindySingh I've tried your script and i'm getting an error message that my ad is not valid. Any suggestion?

svalencia
New Contributor

I made some adjustments to update the script, gathering the computer name from dsconfigad. Here's an updated script that is currently working for us.

#!/bin/bash

ADuser="$4"
ADpass="$5"
ADSecurityGroup="$6" 

# This will allow an admin to quickly add a computer to an Active Directory security group.  The computer must already be bound to Active Directory.  Using the parameters in the policy to populate based on which group the computers should be a member of.

# Turn the computer name into a variable
computerName=$(dsconfigad -show | awk '/Computer Account/{print $NF}')

# echo $computerName

# Get the distinguished name
CNmember=$(dscl "/Active Directory/All Domains/InsertPathHere/" -read /Computers/"$computerName" dsAttrTypeNative:distinguishedName | awk '{print $NF}')

# echo $CNmember

# Use dscl to add distinguished name to AD security group
dscl -u "$ADuser" -P "$ADpass" "/Active Directory/All Domains/InsertPathHere/" -merge "/Groups/$ADSecurityGroup" member "$CNmember"

/usr/local/bin/jamf recon

Found this on 8/26/24- timely worked, but kept getting invalid path with the merge command. in our environment, I had to drop the leading slash in the groups command:

-merge 'Groups/$ADSecurityGroup' member "$CNmember"

 

Hope this helps someone

bcbackes
Contributor III

@svalencia I read your post about how to add a computer to an AD security group. I assume there's a similar way to read them? I'm trying to find a way to query AD computer groups, then, pull the list of computers into a Smart Group.

We are using AD groups for our Windows devices and SCCM to deploy out licensed software. I'm trying to find a way to leverage those same groups for Jamf Pro. The goal is to add Macs to the AD group, have a query that pulls those devices into a Smart Group, then, push licensed software installations out to the scoped smart group.

Any help you can provide is greatly appreciated!

Thanks,
Brant

JosephRecendez
New Contributor III

@svalencia Thank you for your script. I am running it I am able to get it to work if the parameters / variables are hard coded but when I use the options from the Jamf console ($4, $5, $6) I get a error back that says that "Data source (/Active Directory/MY_DOMAIN/All Domains/) is not a valid ID. Any help would be appreciated!

Thanks!