making users admins so they can install software at home

EliasG
Contributor

I had this login script working great #!/bin/sh
dscl . append /Groups/admin GroupMembership $3

It would make users from AD admin on computers so they are able to install software at home.

Now it has stopped working and no idea why.

Any thoughts??

Thanks

4 ACCEPTED SOLUTIONS

hzimmerman
New Contributor III

There should be a dash in front of append, making the command:
dscl . -append /Groups/admin GroupMembership $3

In addition, I would suggest instead using -merge instead of -append (-merge will add if the value does not already exist int he list, -append adds it regardless, meaning you could end up with a bunch of duplicate entries)

View solution in original post

stevewood
Honored Contributor II
Honored Contributor II

Actually, dseditgroup is probably the better command to use:

dseditgroup -o edit -a $3 -t user admin

View solution in original post

mm2270
Legendary Contributor III

I hate to keep repeating this, as I know its been mentioned on several other threads, but you shouldn't be using dscl . append to add a user into any groups. The problem is, "append" is not intelligent. It won't check to see if the user being added already exists in that group. Its essentially adding the name into an array or list, and will keep adding it in, over and over again, endlessly, until you stop running your script. That means you could end up with dozens or even hundreds of entries of the same name in the admin group. If you later want to delete that user from the group. you have a mess on your hands to clean up.

Apple's preferred way for several years now has been to use dseditroup. Unlike dscl . append, dseditgroup won't add the account in if its already there.

dseditgroup -o edit -a "$3" admin

That said, not sure why your previous script stopped working. But at the very least, change it to use dseditgroup first and try it again.

View solution in original post

emily
Valued Contributor III
Valued Contributor III
14 REPLIES 14

hzimmerman
New Contributor III

There should be a dash in front of append, making the command:
dscl . -append /Groups/admin GroupMembership $3

In addition, I would suggest instead using -merge instead of -append (-merge will add if the value does not already exist int he list, -append adds it regardless, meaning you could end up with a bunch of duplicate entries)

stevewood
Honored Contributor II
Honored Contributor II

Actually, dseditgroup is probably the better command to use:

dseditgroup -o edit -a $3 -t user admin

EliasG
Contributor

It looks like the jss is not even running the script, the laptops are pending

mm2270
Legendary Contributor III

I hate to keep repeating this, as I know its been mentioned on several other threads, but you shouldn't be using dscl . append to add a user into any groups. The problem is, "append" is not intelligent. It won't check to see if the user being added already exists in that group. Its essentially adding the name into an array or list, and will keep adding it in, over and over again, endlessly, until you stop running your script. That means you could end up with dozens or even hundreds of entries of the same name in the admin group. If you later want to delete that user from the group. you have a mess on your hands to clean up.

Apple's preferred way for several years now has been to use dseditroup. Unlike dscl . append, dseditgroup won't add the account in if its already there.

dseditgroup -o edit -a "$3" admin

That said, not sure why your previous script stopped working. But at the very least, change it to use dseditgroup first and try it again.

emily
Valued Contributor III
Valued Contributor III

rcorbin
Contributor II

There there is the temporary MakeMeAdmin script from Andrina. Very cool piece of work.

From JNUC2013

https://github.com/andrina/JNUC2013/tree/master/Users%20Do%20Your%20Job/MakeMeAdmin

EliasG
Contributor

Thanks guys!!

hcodfrie
Contributor

Better yet why not grand that user 30 min admin rights ? take a look at darklordbrock his script

https://github.com/darklordbrock/scripts/tree/master/UW-Milwaukee

tlarkin
Honored Contributor

Just to sort of echo off of what @mm2270][/url][/url has posted:

The dseditgroup binary has built in logic to add, remove, or check membership of a group. Where as if you use dscl append or merge to merge records, there are no logic checks in place for duplicate user records. For example if I ran this:

dscl . append /Groups/admin GroupMembership tlarkin

It would indeed add my user account to the admin group. However, if I typo'd my syntax and did it to tlakin instead, there would now be a record for tlakin as well that was also in the admin group, or lets say I ran the command twice, there would now be two records for 'tlarkin,' in the user database for the admin group.

A lot of these commands and scripts you find are from way back in the Tiger days when OS X first transitioned from NetInfo to Directory Services. The NetInfo days had a command line too (nicl), and a lot of us were unaware that dseditgroup existed, or that was the preferred method because we had to support Tiger day 1 when it came out. Where as in Panther (10.3) everything was under NetInfo instead of Directory Services. As time went on and a lot of us Sys Admins got to read manuals and test things we found dseditgroup, which was not in any of our previous workflows for 10.3.

Now there are cases where you may want to use dscl over dseditgroup, but those will be specific and few and far between. Sorry for the history lesson here, I just thought I should explain why you want to use dseditgroup whenever you can over dscl, or even brute forcing any plist files for directory services (also really bad idea).

Thanks,
Tom

hzimmerman
New Contributor III

It sounds like I walked into the middle of a flamewar that no one seems to have asked for.

I do have one thing that keeps bothering me - both tlarkin and mm2270 use as their reasoning that with dscl . -append you can end up with duplicates.

tlarkin even says "if you use dscl [...] merge to merge records, there are no logic checks in place for duplicate user records". mm2270 ignores the -merge option, instead pointing out that -append has no logic for checking for duplicates.

From the dscl man page:

merge Usage: merge record_path key val ... Appends one or more values to a property in a given directory if the property does not already have those values. The property is created if it does not exist.

It seems to me that if the only concern with using dscl instead of dseditgroup is the possibility of duplication, -merge seems to resolve that issue.

Please correct me if there is some other compelling reason for dseditgroup use instead, otherwise there seems to be two valid ways of doing the same thing. tlarkin seems to imply that dseditgroup checks the validity of a username being added to a group, but I am definitely inferring from a few of his statements and would want to be sure. If that is the case, then that is definitely a compelling reason (although most uses of dscl . -merge I have seen tend to be scripted, with little likelihood of a typo-ed username).

JPDyson
Valued Contributor

Cross-referencing the 30-minute admin mechanism... https://jamfnation.jamfsoftware.com/discussion.html?id=6990

tlarkin
Honored Contributor

Hi @hzimmerman

Sorry if you feel we are having a flame war, this was not ever my intent. I did some testing on another thread when you happen to have a space in a user's shortnmae. The dseditgroup seems to actually validate the user record in my testing. This thread (if you scroll down a bit) I ran through an array of user records, and when dseditgroup could not find a valid user record, it told me so in the output:

https://jamfnation.jamfsoftware.com/discussion.html?id=11124

I am not saying you cannot use -merge, and I had this conversation with @franton on the other thread as well. I am all about end results, and if that works for you then awesome. I also agreed with @franton that sometimes dseditgroup may not be the answer 100% of the time. I only recommend using that binary first, because that is its main function. If you put a username in dseditgroup that is not valid it will tell you.

bash-3.2$ sudo dseditgroup -o edit -a fake_user_account -t user admin
Record was not found.

If you want to use dscl with -merge and -append, you can do so. I never meant this as a flame war on how to edit user records in the local user database in OS X. It is my personal opinion that dseditgroup is the preferred method. If you don't use my personal preferred method (this is just my opinion after all) then that is cool, and we can share different ways to do things. My intent was to just share more information to everyone so they can make their own informed decisions. I apologize if it did not come off that way.

Thanks,
Tom

PS - I used to use -merge and -append at an old job and I got mixed results. This was way back in the 10.5 and 10.6 days so many things could have changed since then. This was just my personal experience, your mileage may vary.

mm2270
Legendary Contributor III

@hzimmerman - you must be thinking of another thread, b/c no flame war here that I can see. I can only speak for myself, but my comment was written up and directed to EliasG, since he was using append. I have no issue with you pointing out the use of merge nor did I say so in my post. If I ignored "merge" its simply because Apple strongly recommends the use of dseditgroup when manipulating group membership attributes, and has now for a number of years. Ask any SE at Apple and they will tell you. That's not to say that whatever Apple says is law or that we should follow it blindly, but it does provide a better, safer mechanism than anything that dscl provides.
And yes, you're correct in guessing that dseditgroup checks that the account actually exists before it operates on it. If not certain, try it yourself. Create a local Standard user on your Mac, then run a dseditgroup to add it to the admin group, but type the name in wrong. It will report "Record was not found." Doing an echo $? afterwards will report an error code 200 or something to that affect.

Anyway, you needn't be so defensive. No-one is bashing you for pointing out the possible use of "merge" But its also pretty inarguable that dseditgroup is a more intelligent command overall. Dscl still has plenty of other uses though.

EliasG
Contributor

looks like i started a war here...sorry