Help

Script Help: AD admin permissions for portables

cstout
Contributor III
Contributor III

Posted on ‎05-30-2013 03:23 PM

I spent half the day creating this script that is a mash up of several excellent scripts I've come across here. The script below is tailored to address our portables keeping admin privileges while away from our corporate network. The script works beautifully, but there is one flaw that I am not skilled enough in bash to remediate.

What I am looking to accomplish is a way to avoid declaring a text variable for the group that it will check membership of. I am hoping that there is a way that I could remove the group name, as in the example below, "CSC" and replace it with a small query that will pull the group from the OU the computer has been bound to.

--My apologies if that isn't as clear as it could be. I'm more than happy to provide any additional details that would aid in the success of modifying this script.

Big thanks to Matt Lee and Brad Gunnells for most of the source of this script.

#!/bin/bash

## Declaring Variables

#Sets AD group to check for membership.
adgroupname="CSC"

## Checking AD Group Membership - Do not edit below this line.

#Sets local admin group.
localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$3"`

#Checks currently logged in username for membership in previously specified AD group and sets the result to be used as the adgroup variable.
adgroup=`dsmemberutil checkmembership -U "$3" -G "$adgroupname"`

result="user is a member of the group"

# If User is in AD Admin Group but Not Local Admin

if [[ "$adgroup" = "$result" && "$3" != "$localgroup" ]]; then
        dscl . append /Groups/admin GroupMembership $3
            echo $3 "successfully added"
   exit

# Exclude Administrator account

elif [[ "$adgroup" != "$result" && "$3" == "administrator" ]]; then
        echo $3 "is the IT Admin Account…skipping."
    exit

# If User is in AD Admin Group and is a Local Admin

elif [[ "$adgroup" = "$result" && "$3" == "$localgroup" ]]; then
        echo $3 "is already a Local Admin"
    exit

# If User is not in the AD Group, but -is- in local admin

elif [[ "$adgroup" != "$result" && "$3" == "$localgroup" ]]; then
        dscl . -delete /Groups/admin GroupMembership $3
            echo $3 "successfully removed"
   exit

elif [[ "$adgroup" != "$result" ]]; then
        echo $3 "is not a Network Admin"
    exit

fi
0 Kudos
2 REPLIES 2

cstout
Contributor III
Contributor III

Posted on ‎05-30-2013 03:31 PM

Also, please forgive the messiness of this script. I pieced it together the best I could and got a working script. I tested all "if" statements and they all work properly. It's the furthest thing from polished, but for my first big script (this is big to me) I think this is a big deal.

Thank you!

0 Kudos

evarona
New Contributor II

Posted on ‎06-02-2013 04:21 PM

If I understand what you're asking for, couldn't you use the additional scripts variables ($4 through $11) for different group names and parse them to a dscl command? I'm not connected to a domain right now so I'm going from memory but I'm thinking something like what mm2270 posted at https://jamfnation.jamfsoftware.com/discussion.html?id=6311

Groups=$( dscl /Active Directory/DOMAIN/All Domains read /Users/$currUser dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' )

This returns the groups a user belongs to. You can then match that to script variables with a case statement. Hope this helps.

0 Kudos