Scripters Help! User Interaction Stored as Variable

#!/bin/sh

#####################################
# Move Network Admin to Local Admin #
# author: matt.lee@fox.com          #
#####################################

#######################################
# Setting Variables #
# user = Currently logged in user #
# group = Verifying user is in group #
#######################################

user=`ls -l /dev/console | cut -d " " -f 4`
group=`dseditgroup -o read -n /Local/Default admin | grep -a $user`

#######################################
# Recticulating Splines #
#######################################

if [ $user = $group ] ; then
/usr/sbin/jamf displayMessage -message "Account already exists"
else
/usr/sbin/jamf displayMessage -message "Account added successfully."
dscl . append /Groups/admin GroupMembership $user
fi

exit 0
exit 1

This works perfectly. Does exactly what I want even though it throws that error. Any Sim City Fans :D

Hey Matt,

This is one of the downsides to grep, it grabs everything with the string and you can get weird white space issues. As Nate mentioned ruby, perl and python are really all great at parsing text. You can manipulate text to your heart's content pretty easily with all of them, and Python is relatively easy to learn. BASH, you can manipulate text as well with say awk or sed. I could sit here and tell you the best language to use, but that would cause endless unneeded debate. Plus at the end of the day, it only really matters if it works, right?

Glad you got it fixed, that is awesome. To give you an example of piping to awk instead of grep I did this really quick:

dseditgroup -o read -n /Local/Default admin | awk '/tlarkin/ { print $1 }'
tlarkin

So it returned my user name with no white space. My personal opinion though for these really simple scripts you should also keep it simple, and not have to pipe out 500 things to accomplish what you want. You just gotta figure out that balance from time spent versus reward, and of course if you accomplished your goal or not.

have a great weekend,
Tom

Interestingly enough I got the same error with awk! But at this point the script works perfectly with both awk and grep. This will def. help our techs. I'm pretty sure the issue is the returning a <null> value thats tripping the error.

For info, the following will not work as expected on 10.6:

dseditgroup -o read -n /Local/Default admin | grep -a $user

For 10.6, you'd need:

dseditgroup -o read -n /Local/Default admin 2>&1 | grep $user

This, however, will also work with both versions:

dscl localhost read /Local/Default/Groups/admin GroupMembership | grep -a "$user"

As for variables and if statements, you need to be careful how you supply the variable to the if statement. It's good practice to double quote the variable, so

if [ "$user" == "$group" ]

you can alternatvely double bracket

if [[ $user = $group ]]

although I would actually say do both (as Matt also pointed out)!

if [[ "$user" = "$group" ]]

Better still, using the dscl command instead will return either nothing or a single line of text, so you can now just check for is empty or not. But, since usernames could overlap (maybe you have a user called 'roo', since root is an admin this would be a false positive) exact matches would be preferable.

Try this out:

#!/bin/bash

## NB. /dev/console should no longer be used due to virtual screen sharing logins.
## This script should be modified to reflect this if necessary.
user=`stat -f%Su /dev/console`
group=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$user"`

if [[ "$user" == "$group" ]]
then
        result="Yes"
else
        result="No"
fi

echo "<result>$result</result>"

Thanks for all the help everyone. I think I have a solid script now. Here is the script. Basically this will be a self service script that allows a tech to grant a user who has Network Admin rights Local Admin rights as well.

#!/bin/bash

#######################################
# Setting Variables                   #
# user = Currently logged in user     #
# group = Verifying user is in group  #
#######################################

user=`stat -f%Su /dev/console`
group=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$user"`

#######################################
# Recticulating Splines               #
#######################################

if [[ "$user" == "$group" ]]
then
result="Yes"
/usr/sbin/jamf displayMessage -message "Account already exists"

else
result="No"
/usr/sbin/jamf displayMessage -message "Account added successfully."
dscl . append /Groups/admin GroupMembership $user

fi

echo "<result>$result</result>"

Now that I have this excellent script I am ready to take this a step farther...

Login Script, check logged in users Real Name, then check an AD group for membersship, if membership exists, then add to local admin, else exit.

So I guess the place to start is gathering the users real name. I found one way to do it via dscl but it gives me a return of:

Real Name: Your Name

I would love just to get just the output as real name so I can then look it up. Any advice. Appreciate all the help.

add this to the end of your dscl query:

| tail -1 | cut -c 2-

nkalister is right. The response you are receiving is across 2 lines. eg.

RealName:
 Matt Lee

You could flatten it to one line if you don't mind keeping 'RealName' by adding:

| tr "
" " "

or using the above example, I would be more inclined to remove leading whitespace as opposed to relying on character positions and use one command to do the lot

| sed -e '$!d' -e 's/^[ 	]*//'

-e '$!d' = print last line only

's/^[ ]*//' = remove any leading spaces/tabs if any exist.

You may find the following pages useful to help you get started:

http://sed.sourceforge.net/sed1line.txt
http://www.pement.org/awk/awk1line.txt

Some progress.

Declared Variables

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`

A test of Echo shows exactly what I want

Realname = "Matthew Lee"
shortname = "matthewle"

Making good progress! Thanks for all the help everyone. Once this script is done I will upload it for all to enjoy.

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`
localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$shortname"`
adgroup=`dscl "/Active Directory/FFE/All Domains" -read /Groups/MACADMINS | grep "$realname"`

### Testing Output Only Delete before Completion
echo $adgroup

Echo results are:

CN=Matthew Lee,OU=Users,OU=Pico Lot,OU=Los Angeles,OU=North America,OU=FNG,DC=ffe,DC=foxeg,DC=com

How can I extract just "Matthew Lee" from here? I tried GREP and no matter what I do it always gives me the same output.

#!/bin/bash

#######################################
# Add Network Admin to Local Admin Group     #
# author: matt.lee@fox.com                                #
#######################################

#######################################
# Declaring Variables                                         #
#######################################

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`
# localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$shortname"`
adgroup=`dscl "/Active Directory/FFE/All Domains" -read /Groups/MACADMINS member | grep "$realname"`

echo $shortname
echo $realname
echo $adgroup

#######################################
# Checking AD Group Membership                    #
#######################################

if [[ "$realname" == "$adgroup" ]]; then 

    result="Yes"
else
    result="No"

fi

echo "<result>$result</result>"

Can't get them to result "Yes" even though the outmatches :(

Echo results are: CN=Matthew Lee,OU=Users,OU=Pico Lot,OU=Los Angeles,OU=North America,OU=FNG,DC=ffe,DC=foxeg,DC=com How can I extract just "Matthew Lee" from here? I tried GREP and no matter what I do it always gives me the same output.

Have you tried the "grep -o" option?

I actually did the grep -o a bit ago and got some new results I got side tracked so Ill continue tomorrow :)

Thanks for the help again everyone.

#!/bin/bash

##########################################
# Add Network Admin to Local Admin Group #
# author: matt.lee@fox.com               #
##########################################

##########################################
# Declaring Variables                    #
##########################################

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`
localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$shortname"`
adgroup=`dscl "/Active Directory/FFE/All Domains" -read /Groups/MACADMINS member | grep -o "$realname"`

##########################################
# Checking AD Group Membership           #
##########################################

if [[ "$realname" == "$adgroup" && "$shortname" != "$localgroup" ]]; then
   result="Yes"
   dscl . append /Groups/admin GroupMembership $shortname

elif [[ "$realname" == "$adgroup" && "$shortname" == "$localgroup" ]]; then
    result="No"

elif [[ "$realname" != "$adgroup"  ]]; then
    result="No"
fi

echo "<result>$result</result>"

Works when deployed!!!! I'll do some more testing tomorrow. So far this is a pretty wicked script.

Script is finished and working great. I am going to upload it to the JAMF repository. Thank you everyone for helping me out I hope you guys can get some use out of this.

#!/bin/bash

# Add Network Admin to Local Admin Group
# author: matt.lee@fox.com 

# Declaring Variables

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`
adgroupname="Enter Your AD Group Here"
localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$shortname"`
adgroup=`dscl "Enter You Active Directory Path" -read /Groups/$adgroupname member | grep -o "$realname"`
serviceaccount="Enter Your Service Account Name Here"

# Ignoring Service Accounts

if [[ "$serviceaccount" == "$localgroup" ]]; then
   result="Service Account Detected"

# Checking AD Group Membership 

# If User is in AD Admin Group but Not Local Admin

elif [[ "$realname" == "$adgroup" && "$shortname" != "$localgroup" ]]; then
   result="User Successfully Added"
   dscl . append /Groups/admin GroupMembership $shortname

# If User is in AD Admin Group and is a Local Admin

elif [[ "$realname" == "$adgroup" && "$shortname" == "$localgroup" ]]; then
    result="Admin User Detected"

# If User is not in the AD Admin Group

elif [[ "$realname" != "$adgroup" && "$shortname" == "$localgroup" ]]; then
    result="Removing Unapproved User"
    dscl . delete /Groups/admin GroupMembership $shortname

# If User is in AD Admin Group and is a Local Admin

elif [[ "$realname" != "$adgroup"  ]]; then
    result="Standard User Detected"
fi

echo "<result>$result</result>"

exit