- Jamf Nation Community
- Products
- Jamf Pro
- Re: Script Help - Extended Attribute Output Manipu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Script Help - Extended Attribute Output Manipulation for Computer AD Group Membership
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2017 02:19 PM
I've got the following script output and it's OK, I'm trying to clean it up so that only the name of the group remains. Our computers can be in one or more groups in AD and I'm trying to get the Extended Attribute populated cleanly for use in creating smart groups. Current output looks like
dsAttrTypeNative:memberOf: CN=M_TEST,OU=Groups,OU=Location,DC=District,DC=loc CN=M_Shutdown_GPO_EXCLUSION,OU=Groups,OU=Location,DC=District,DC=loc
I know I can remove dsAttrTypeNative:memberOf: with one sed command and remove OU=Groups,OU=Location,DC=District,DC=loc with another, this will only work if I can guarentee that all groups will be in that same OU, which I can not.
Any help would be appreciated. Thank you
#!/bin/sh
ad_computer_name=`dsconfigad -show | grep "Computer Account" | awk '{print $4}'`
ad_computer_grp=`dscl /Search read /Computers/$ad_computer_name |
grep -A 1 dsAttrTypeNative:memberOf |
cut -d, -f1- `
echo "<result>$ad_computer_grp</result>"
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2017 03:16 PM
You're showing two groups in your output. Which group are you interested in?
Since a computer object can be a member of multiple groups, perhaps an Extension Attribute per group that you're interested in with Yes and No values would be more appropriate?
Another, admittedly sloppier (but somewhat easier if you only need a few of these), option would be to dump the output above into the EA and create your smart groups with criteria like:
$EA_Name like CN=M_TEST
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2017 03:22 PM
Try adapting the following loop to see if it suits your needs:
for grp in "$(dscl /Search read /Computers/$ad_computer_name dsAttrTypeNative:memberOf)"
do
echo "$grp" | awk -F[=,] '{print $2}'
doneHere, dscl no longer pulls all information about the device, just the information you want to manipulate; and a single awk statement, with multiple delimiters, pulls the group name that I think you want.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2017 01:57 PM
milesleacy I'm looking at having an unknown number of groups as we move forward, so having to code EA's for each would be cumbersome. I can go the sloppier route, just was hoping to clean it up and make it easy to look at and flexible.
mikeh
Thank you for the code, it's coming up blank though. From what I can try to figure out, it's in the loop
#!/bin/sh
ad_computer_name=`dsconfigad -show | grep "Computer Account" | awk '{print $4}'`
for grp in "$(dscl /Search read /Computers/$ad_computer_name dsAttrTypeNative:memberOf)"
do
echo "$grp" | awk -F[=,] '{print $2}'
doneOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2017 02:07 PM
Given that you have an unknown list of groups, that I would further assume is subject to change over time, I think the "sloppy" route might be the best option.
Dump your dscl output into the EA and then use like logic to build the smart groups you need.
Unless someone has a better idea.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-13-2017 07:17 PM
Hi @EdenJAMFAdmin I think getting all groups into the EA and then being able to create criteria with the EA such as "AD Groups | like | <some group name>" would probably be best, especially if you anticipate needing to know about more than just a few possible groups. If you only do one EA for each group, you may find yourself down the road with a half dozen or more different similar EAs.
One thing I wanted to point out. You can combine the grep and awk in the first part of the script, as awk has regex matching capabilities similar to grep. For example:
dsconfigad -show | awk '/Computer Account/{print $4}'Our Active Directory computer objects don't seem to have a dsAttrTypeNative:memberOf key in them, so I wasn't able to really test the below against computer objects, but I was able to swap it out for /Users/username to see the result. This should, I think, grab all the computer groups and place them all into one result. Also, I assumed you don't need the CN= part of the group names since that's just the indication of the container. The below will exclude that as well.
#!/bin/bash
ad_computer_name=$(dsconfigad -show | awk '/Computer Account/{print $4}')
ad_computer_groups=$(dscl /Search read /Computers/$ad_computer_name dsAttrTypeNative:memberOf | awk -F'[=|,]' '{print $2}')
echo "<result>$ad_computer_groups</result>"Give that a try and see if it gives you what you're looking for.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-13-2017 08:32 PM
@EdenJAMFAdmin I'm betting the output is empty because the $(...) structure in the for loop is (I believe) a bash structure, but you specified /bin/sh as the shell in the script. Either switch the shell to bash in the first line, or change the $(...) to the sh-compatible `...` structure, which you used when populating the ad_computer_name variable. That should clear up the blank output. I hope.
@mm2270 I always look forward to your posts and answers. I always learn something - in this case, how to use awk better.
