Pull LDAP/AD *Computer* group membership?

Taylor_Armstron
Valued Contributor

Trying to figure out a way to be able to query machines for specific group memberships.

We're using Centrify to bind, which adds a bit of complexity, but I can probably work around that.

Does anyone know of a good way to identify what AD Security groups a given machine is a member of?

With Centrify, the command: "/usr/local/bin/adquery user -A <Machine_Name>$ will return some info, but not what I'm looking for. Specifically, it will return "memberOf:OurDomain/Users/Domain Computers, but doesn't list any other groups I've added the machine to for test purposes right now.

1 REPLY 1

osnala
New Contributor II

This is what I used, I forgot where I got it from. You will need to change the ad_computer_ou to reflect your enviroment.

#!/bin/sh
ad_computer_name=`dsconfigad -show | grep "Computer Account" | awk '{print $4}'`
ad_computer_ou=`dscl "/Active Directory/All Domains/" read /Computers/$ad_computer_name | 
grep -A 1 dsAttrTypeNative:distinguishedName | 
cut -d, -f2- | sed -n 's/OU=//gp' | 
sed -n 's/(.*),DC=/1./gp' | 
sed -n 's/DC=//gp' | 
awk -F, '{
N = NF
while ( N > 1 )
{
printf "%s/",$N
N--
}

printf "%s",$1
}'`

echo "<result>$ad_computer_ou</result>"