Jamf Nation Community

You can go the applescript route for this if you make a cocoa applet depending on how its going to be triggered

external image link

The following AppleScript / AppleScript Objective C code should work

activate
set askForUsername to display dialog "username" default answer "foo"
set username to text returned of askForUsername as string
set result to "<result>" & username & "</result>"
tell current application to NSLog(result)
quit

You could then do something like this:

external image link

declare -x name="$(/Applications/Username.app/Contents/MacOS/CocoaApplet 2>&1 | awk -F'[<>]' '{print $3}')"
bash-3.2# echo $name
foo

Might want to also check out this thread

https://jamfnation.jamfsoftware.com/discussion.html?id=4117

I agree Apple script might the best bet. You can't just directly access the display dialog function, or it will return an error "No user interaction allowed. (-1713)"

To work around the issue, use Tell to system events:

#!/bin/bash
EndUserName=`/usr/bin/osascript <<EOT
tell application "System Events"
    activate
    set EndUserName to text returned of (display dialog "Enter your Name" default answer "")
end tell
EOT`
echo $EndUserName

I tested this with Casper Remote and it works when a user is logged in, but will hang if no one is logged in. I haven't tested through self service or from a scheduled event like at login.

Consider a check, or even a wait, until someone is logged in. With the script relying on end user input, it would be prudent to check the input before doing anything important with it.

If the input/name can be obtained via an automated means, it would seem to eliminate the need for extra checking and in many cases be preferred, and possibly more secure.

Hey Jacob,

I have some scripts that do similar functionality for some projects I have worked and am currently working on. Your example is very similar to what I am doing. However, when testing on a 10.7.x box if I use System Events I always got some error message, but if I used the Finder it worked. I have zero clue if this is due to Lion's sandbox environment or not.

Have you tested your method in 10.7?

Many Thanks,
Tom

You can accomplish this if you use the Finder or even System Events to display the dialog:

#!/bin/sh

NAME=$(osascript <<-EOF

tell application "Finder"
    set theText to display dialog "What is your name?" default answer ""
end tell

text returned of theText

EOF)

echo $NAME

I prefer using System Events instead of Finder because if the Finder is not the foreground application when it executes, it just bounces in the Dock. Using System Events causes the dialog to display over existing windows/applications (although the dialog can still be pushed to the background by the user afterwards)

Hey guys,

Well I will go back and revisit System Events again, but when I was running these through testing it always kicked back an error. However, it only did it on my 10.7 test box. Though to be fair, my 10.7 test box gets abused slightly. :-)

I did not think about 10.7 (We are still running 10.6.8 everywhere)

I choose "System Events" for the same reason: "Finder" likes to pop windows forward and/or bounce in the dock.

Though if you remove the "Activate" it might behave better.

What I am really trying to do is move users from our AD Admins group into the Local Admins group. I think I know where to start. I know I need something like this:

currentuser = 'stat -f%Su /dev/console'

and

dscl . append /Groups/Admin GroupMembership $currentuser

Basically my goal would be if the user is in the "ADADMINS" group they get both Network Admin and Local Admin rights. I'm thinking the best way to do this is via Self Service and just have the tech login the user, verify Admin rights and then click this script to envoke local admin.

Matt,

If you use this as a log in hook policy or self service policy, the Casper Framework automatically sets the currently logged in user to $3. However, this only works when a policy is executed at log in/out or via self service. Every time a user logs in, you could check their membership against a group and then if you get a false or positive result an if/then statement could work to add them to that group.

Thanks,
Tom

How about adding an if statement to check dscl for membership already? The only issue I see so far is that dscl will continue to add user records to the group even if it already exists. I'm going to give it a shot but if anyone can give me some if statement tips.

Using the script above my logic would be.

if $user is already in /Groups/admin then run jamf displaymessage

else

if $user is not in /Groups/admin then run jamf displaymessage and run dscl . append /Groups/admin GroupMembership $user

dscl . -read /Groups/admin GroupMembership | cut -d " " -f 2- | tr " " "
"

I know that brings up the users.

Thanks for all the help. Getting better at scripting everytime!

I like this basic "if" statement syntax:

if [ command ] ; then
    do something
fi

The "command" part must return something that's "true" or a result that you can parse.

The dseditgroup command allows you to check for group membership. Replace "username" with the name you're checking and "groupname" with the group you're checking:

dseditgroup -o checkmember -m username groupname

It will return one of three statements:

• yes jcool is a member of admin
• no jcool is NOT a member of admin
• Unable to find the user record

You could use something like the following to check for "yes" in the result:

if [ dseditgroup -o checkmember -m jcool admin | grep yes ] ; then
    do something
fi

Many ways to skin a cat.

Let me give this a shot and see what I can dig up.

Ran into something interesting with the deseditgroup option.

If you are a Network Admin but not a "local" admin it still shows up as being a member of the admin group even though you are not in the /Groups/admin.

EDIT 1:

dseditgroup -o read -n /Local/Default admin

Does list correctly. When I run that command it shows all the local admins. Now how can I get that output in the if statement. :(

Hey Matt,

Another neat trick you can use is to check the exit status of the last command you ran. If the command was successful it should exit with a 0, if not with a 1 or some other exit status number. See my example:

bash-3.2# dseditgroup -o checkmember -m tlarkin admin
yes tlarkin is a member of admin
bash-3.2# echo "$?"
0
bash-3.2# dseditgroup -o checkmember -m dude admin
Unable to find the user record
bash-3.2# echo "$?"
64

When I run the command `echo $?` it echoes the exit status of the previously ran command. You can see when it found my admin account it exited with 0, and when it did not find the account named "dude" it exited with 64.

You can use this method to build logic on figuring out if a member is in fact a member of a certain group with out have to deal with piping out any other commands. So for example:

#!/bin/sh
#use as login script with Casper

dseditgroup -0 checkmember -m $3 admin

if [[ `echo "$?"` -eq 0 ]]
  then echo "$3 is a member"
  else echo "$3 is not a member"
fi
exit 0

So you can logic your code in that manner. My example code just echoes out results and doesn't do anything else. You'd have to rewrite it to fit your needs, but the concept is decently solid. I have used it in the past for scripts to test against positive or negative output.

thanks,
Tom

The issue I am running into is the difference between being a Network Admin and a Local Admin. When using Active Directory Groups to handle Admin right it works until you unplug from the network; then you are back to a standard user. When I do "dseditgroup -0 checkmember -m $3 admin" it always says Yes because I am a Network Admin even though I am not in the "dscl . read /Groups/admin GroupMembership"

I tried doing this:

#!/bin/sh

user=`ls -l /dev/console | cut -d " " -f 4`
group=`dseditgroup -o read -n /Local/Default admin | grep -a $user`

if [ $user == $group ]; then
      result=Yes
else
      result=No
fi
echo "<result>$result</result>"

And when I expect Yes I get Yes!!!! When I get No though I get this error:

"/bin/bash: line 6: [: matthewle: unary operator expected
<result>No</result>"

I am getting the No I expect but whats this error mean??? At first I thought it said "Urinary operator". Thought maybe my computer had to take a leak :D

That ```
[:
``` is telling you that the test is failing (that bit between the square brackets in your if statement)

What's failing is that one of your variables isn't getting set so it's tossing the error. I'd throw in an echo for each variable right before your if statement to see if they're getting set properly.

When the user is in /Groups/admin it works perfect.

When the user is not in /Groups/admin it reports No correctly just gives me that strange error. When I did echo for the $user it echo's an expected result, when you echo $group and you are not in the group it returns nothing at all and I think that's what causing the error.

try using a fuzzy regex match instead with =~ instead of ==.

(oops… double post)

#!/bin/sh

user=`ls -l /dev/console | cut -d " " -f 4`
group=`dseditgroup -o read -n /Local/Default admin | grep -a $user`

if [ $user =~ $group ]
then
   echo "Yes"
else
   echo "No"
fi

Returns the same error but also returns No as expected. I am pretty certain now the error is because its returning nothing (as it should because the user isn't in the group.)

EDIT 1:

#!/bin/sh

user=`ls -l /dev/console | cut -d " " -f 4`
group=`dseditgroup -o read -n /Local/Default admin | grep -a $user`

echo "$user"
echo "$group"

if [[ "$user" = "$group" ]] ; then
   echo "Yes"
else
   echo "No"
fi

I found an issue with whitespace it seems. The results are:

matthewle
<lots of whitespace>matthewle
No

Wondering if the whitespace is killing this.

probably. you're making an exact comparison with the == operator. " username" is not the same as "username," so your comparison fails.

try the regex match operator.

or use ruby, python, perl, etc. that all offer a "strip" method for strings that would save you a step.

Hey Matt,

This is one of the downsides to grep, it grabs everything with the string and you can get weird white space issues. As Nate mentioned ruby, perl and python are really all great at parsing text. You can manipulate text to your heart's content pretty easily with all of them, and Python is relatively easy to learn. BASH, you can manipulate text as well with say awk or sed. I could sit here and tell you the best language to use, but that would cause endless unneeded debate. Plus at the end of the day, it only really matters if it works, right?

Glad you got it fixed, that is awesome. To give you an example of piping to awk instead of grep I did this really quick:

dseditgroup -o read -n /Local/Default admin | awk '/tlarkin/ { print $1 }'
tlarkin

So it returned my user name with no white space. My personal opinion though for these really simple scripts you should also keep it simple, and not have to pipe out 500 things to accomplish what you want. You just gotta figure out that balance from time spent versus reward, and of course if you accomplished your goal or not.

have a great weekend,
Tom

Interestingly enough I got the same error with awk! But at this point the script works perfectly with both awk and grep. This will def. help our techs. I'm pretty sure the issue is the returning a <null> value thats tripping the error.

Now that I have this excellent script I am ready to take this a step farther...

Login Script, check logged in users Real Name, then check an AD group for membersship, if membership exists, then add to local admin, else exit.

So I guess the place to start is gathering the users real name. I found one way to do it via dscl but it gives me a return of:

Real Name: Your Name

I would love just to get just the output as real name so I can then look it up. Any advice. Appreciate all the help.

add this to the end of your dscl query:

| tail -1 | cut -c 2-

nkalister is right. The response you are receiving is across 2 lines. eg.

RealName:
 Matt Lee

You could flatten it to one line if you don't mind keeping 'RealName' by adding:

| tr "
" " "

or using the above example, I would be more inclined to remove leading whitespace as opposed to relying on character positions and use one command to do the lot

| sed -e '$!d' -e 's/^[ 	]*//'

-e '$!d' = print last line only

's/^[ ]*//' = remove any leading spaces/tabs if any exist.

You may find the following pages useful to help you get started:

http://sed.sourceforge.net/sed1line.txt
http://www.pement.org/awk/awk1line.txt

Some progress.

Declared Variables

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`

A test of Echo shows exactly what I want

Realname = "Matthew Lee"
shortname = "matthewle"

Making good progress! Thanks for all the help everyone. Once this script is done I will upload it for all to enjoy.

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`
localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$shortname"`
adgroup=`dscl "/Active Directory/FFE/All Domains" -read /Groups/MACADMINS | grep "$realname"`

### Testing Output Only Delete before Completion
echo $adgroup

Echo results are:

CN=Matthew Lee,OU=Users,OU=Pico Lot,OU=Los Angeles,OU=North America,OU=FNG,DC=ffe,DC=foxeg,DC=com

How can I extract just "Matthew Lee" from here? I tried GREP and no matter what I do it always gives me the same output.

#!/bin/bash

#######################################
# Add Network Admin to Local Admin Group     #
# author: matt.lee@fox.com                                #
#######################################

#######################################
# Declaring Variables                                         #
#######################################

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`
# localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$shortname"`
adgroup=`dscl "/Active Directory/FFE/All Domains" -read /Groups/MACADMINS member | grep "$realname"`

echo $shortname
echo $realname
echo $adgroup

#######################################
# Checking AD Group Membership                    #
#######################################

if [[ "$realname" == "$adgroup" ]]; then 

    result="Yes"
else
    result="No"

fi

echo "<result>$result</result>"

Can't get them to result "Yes" even though the outmatches :(

Echo results are: CN=Matthew Lee,OU=Users,OU=Pico Lot,OU=Los Angeles,OU=North America,OU=FNG,DC=ffe,DC=foxeg,DC=com How can I extract just "Matthew Lee" from here? I tried GREP and no matter what I do it always gives me the same output.

Have you tried the "grep -o" option?

I actually did the grep -o a bit ago and got some new results I got side tracked so Ill continue tomorrow :)

Thanks for the help again everyone.

#!/bin/bash

##########################################
# Add Network Admin to Local Admin Group #
# author: matt.lee@fox.com               #
##########################################

##########################################
# Declaring Variables                    #
##########################################

shortname=`stat -f%Su /dev/console`
realname=`dscl . read /Users/$shortname RealName | sed -e '$!d' -e 's/^[ 	]*//'`
localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$shortname"`
adgroup=`dscl "/Active Directory/FFE/All Domains" -read /Groups/MACADMINS member | grep -o "$realname"`

##########################################
# Checking AD Group Membership           #
##########################################

if [[ "$realname" == "$adgroup" && "$shortname" != "$localgroup" ]]; then
   result="Yes"
   dscl . append /Groups/admin GroupMembership $shortname

elif [[ "$realname" == "$adgroup" && "$shortname" == "$localgroup" ]]; then
    result="No"

elif [[ "$realname" != "$adgroup"  ]]; then
    result="No"
fi

echo "<result>$result</result>"

Works when deployed!!!! I'll do some more testing tomorrow. So far this is a pretty wicked script.