Posted on 07-22-2014 08:34 AM
I had this login script working great
#!/bin/sh
dscl . append /Groups/admin GroupMembership $3
It would make users from AD admin on computers so they are able to install software at home.
Now it has stopped working and no idea why.
Any thoughts??
Thanks
Solved! Go to Solution.
Posted on 07-22-2014 08:55 AM
There should be a dash in front of append, making the command:
dscl . -append /Groups/admin GroupMembership $3
In addition, I would suggest instead using -merge instead of -append (-merge will add if the value does not already exist int he list, -append adds it regardless, meaning you could end up with a bunch of duplicate entries)
Posted on 07-22-2014 09:01 AM
Actually, dseditgroup is probably the better command to use:
dseditgroup -o edit -a $3 -t user admin
Posted on 07-22-2014 09:04 AM
I hate to keep repeating this, as I know its been mentioned on several other threads, but you shouldn't be using dscl . append to add a user into any groups. The problem is, "append" is not intelligent. It won't check to see if the user being added already exists in that group. Its essentially adding the name into an array or list, and will keep adding it in, over and over again, endlessly, until you stop running your script. That means you could end up with dozens or even hundreds of entries of the same name in the admin group. If you later want to delete that user from the group. you have a mess on your hands to clean up.
Apple's preferred way for several years now has been to use dseditroup. Unlike dscl . append, dseditgroup won't add the account in if its already there.
dseditgroup -o edit -a "$3" admin
That said, not sure why your previous script stopped working. But at the very least, change it to use dseditgroup first and try it again.
Posted on 07-22-2014 09:58 AM
You could also automate this with this handy script from @johnkitzmiller:
http://www.kitzy.org/blog/2014/1/15/how-to-make-active-directory-users-local-admins
Posted on 07-22-2014 08:55 AM
There should be a dash in front of append, making the command:
dscl . -append /Groups/admin GroupMembership $3
In addition, I would suggest instead using -merge instead of -append (-merge will add if the value does not already exist int he list, -append adds it regardless, meaning you could end up with a bunch of duplicate entries)
Posted on 07-22-2014 09:01 AM
Actually, dseditgroup is probably the better command to use:
dseditgroup -o edit -a $3 -t user admin
Posted on 07-22-2014 09:02 AM
It looks like the jss is not even running the script, the laptops are pending
Posted on 07-22-2014 09:04 AM
I hate to keep repeating this, as I know its been mentioned on several other threads, but you shouldn't be using dscl . append to add a user into any groups. The problem is, "append" is not intelligent. It won't check to see if the user being added already exists in that group. Its essentially adding the name into an array or list, and will keep adding it in, over and over again, endlessly, until you stop running your script. That means you could end up with dozens or even hundreds of entries of the same name in the admin group. If you later want to delete that user from the group. you have a mess on your hands to clean up.
Apple's preferred way for several years now has been to use dseditroup. Unlike dscl . append, dseditgroup won't add the account in if its already there.
dseditgroup -o edit -a "$3" admin
That said, not sure why your previous script stopped working. But at the very least, change it to use dseditgroup first and try it again.
Posted on 07-22-2014 09:58 AM
You could also automate this with this handy script from @johnkitzmiller:
http://www.kitzy.org/blog/2014/1/15/how-to-make-active-directory-users-local-admins
Posted on 07-22-2014 10:23 AM
There there is the temporary MakeMeAdmin script from Andrina. Very cool piece of work.
From JNUC2013
https://github.com/andrina/JNUC2013/tree/master/Users%20Do%20Your%20Job/MakeMeAdmin
Posted on 07-22-2014 10:27 AM
Thanks guys!!
Posted on 07-22-2014 11:04 AM
Better yet why not grand that user 30 min admin rights ? take a look at darklordbrock his script
https://github.com/darklordbrock/scripts/tree/master/UW-Milwaukee
Posted on 07-22-2014 11:55 AM
Just to sort of echo off of what @mm2270][/url][/url has posted:
The dseditgroup binary has built in logic to add, remove, or check membership of a group. Where as if you use dscl append or merge to merge records, there are no logic checks in place for duplicate user records. For example if I ran this:
dscl . append /Groups/admin GroupMembership tlarkin
It would indeed add my user account to the admin group. However, if I typo'd my syntax and did it to tlakin instead, there would now be a record for tlakin as well that was also in the admin group, or lets say I ran the command twice, there would now be two records for 'tlarkin,' in the user database for the admin group.
A lot of these commands and scripts you find are from way back in the Tiger days when OS X first transitioned from NetInfo to Directory Services. The NetInfo days had a command line too (nicl), and a lot of us were unaware that dseditgroup existed, or that was the preferred method because we had to support Tiger day 1 when it came out. Where as in Panther (10.3) everything was under NetInfo instead of Directory Services. As time went on and a lot of us Sys Admins got to read manuals and test things we found dseditgroup, which was not in any of our previous workflows for 10.3.
Now there are cases where you may want to use dscl over dseditgroup, but those will be specific and few and far between. Sorry for the history lesson here, I just thought I should explain why you want to use dseditgroup whenever you can over dscl, or even brute forcing any plist files for directory services (also really bad idea).
Thanks,
Tom
Posted on 07-22-2014 12:07 PM
It sounds like I walked into the middle of a flamewar that no one seems to have asked for.
I do have one thing that keeps bothering me - both tlarkin and mm2270 use as their reasoning that with dscl . -append you can end up with duplicates.
tlarkin even says "if you use dscl [...] merge to merge records, there are no logic checks in place for duplicate user records". mm2270 ignores the -merge option, instead pointing out that -append has no logic for checking for duplicates.
From the dscl man page:
merge Usage: merge record_path key val ... Appends one or more values to a property in a given directory if the property does not already have those values. The property is created if it does not exist.
It seems to me that if the only concern with using dscl instead of dseditgroup is the possibility of duplication, -merge seems to resolve that issue.
Please correct me if there is some other compelling reason for dseditgroup use instead, otherwise there seems to be two valid ways of doing the same thing. tlarkin seems to imply that dseditgroup checks the validity of a username being added to a group, but I am definitely inferring from a few of his statements and would want to be sure. If that is the case, then that is definitely a compelling reason (although most uses of dscl . -merge I have seen tend to be scripted, with little likelihood of a typo-ed username).
Posted on 07-22-2014 12:19 PM
Cross-referencing the 30-minute admin mechanism... https://jamfnation.jamfsoftware.com/discussion.html?id=6990
Posted on 07-22-2014 12:29 PM
Hi @hzimmerman
Sorry if you feel we are having a flame war, this was not ever my intent. I did some testing on another thread when you happen to have a space in a user's shortnmae. The dseditgroup seems to actually validate the user record in my testing. This thread (if you scroll down a bit) I ran through an array of user records, and when dseditgroup could not find a valid user record, it told me so in the output:
https://jamfnation.jamfsoftware.com/discussion.html?id=11124
I am not saying you cannot use -merge, and I had this conversation with @franton on the other thread as well. I am all about end results, and if that works for you then awesome. I also agreed with @franton that sometimes dseditgroup may not be the answer 100% of the time. I only recommend using that binary first, because that is its main function. If you put a username in dseditgroup that is not valid it will tell you.
bash-3.2$ sudo dseditgroup -o edit -a fake_user_account -t user admin
Record was not found.
If you want to use dscl with -merge and -append, you can do so. I never meant this as a flame war on how to edit user records in the local user database in OS X. It is my personal opinion that dseditgroup is the preferred method. If you don't use my personal preferred method (this is just my opinion after all) then that is cool, and we can share different ways to do things. My intent was to just share more information to everyone so they can make their own informed decisions. I apologize if it did not come off that way.
Thanks,
Tom
PS - I used to use -merge and -append at an old job and I got mixed results. This was way back in the 10.5 and 10.6 days so many things could have changed since then. This was just my personal experience, your mileage may vary.
Posted on 07-22-2014 12:46 PM
@hzimmerman - you must be thinking of another thread, b/c no flame war here that I can see. I can only speak for myself, but my comment was written up and directed to EliasG, since he was using append. I have no issue with you pointing out the use of merge nor did I say so in my post. If I ignored "merge" its simply because Apple strongly recommends the use of dseditgroup when manipulating group membership attributes, and has now for a number of years. Ask any SE at Apple and they will tell you. That's not to say that whatever Apple says is law or that we should follow it blindly, but it does provide a better, safer mechanism than anything that dscl provides.
And yes, you're correct in guessing that dseditgroup checks that the account actually exists before it operates on it. If not certain, try it yourself. Create a local Standard user on your Mac, then run a dseditgroup to add it to the admin group, but type the name in wrong. It will report "Record was not found." Doing an echo $? afterwards will report an error code 200 or something to that affect.
Anyway, you needn't be so defensive. No-one is bashing you for pointing out the possible use of "merge" But its also pretty inarguable that dseditgroup is a more intelligent command overall. Dscl still has plenty of other uses though.
Posted on 07-22-2014 12:52 PM
looks like i started a war here...sorry