Scripting Assistance - AD Bind

JAMF_noob
New Contributor

Hi Everyone,

I am still learning the ways of shell scripting and how to best implement them in my Caper environment. I have the following scenario and would appreciate some examples from the community.

In my environment we prefix computer names with their geographical location. Example: aucomputer1 would be a computer in the Austin region. The prefix can be 2 or 4 characters depending on location, so I'm thinking I need to read the first 2, see if it matches my criteria, and if not read the first 4. We also have our AD structure broken down into geographical OUs. For the Austin example we have an AU OU that the computer would live under.

I would like to create a policy for binding to AD. In that policy I want to read the first 2/4 characters of the computer name and then via triggers, initiate the appropriate binding that assigns the computer to the appropriate OU.

EXAMPLE 1: Bind AUCOMPUTER1 to AD > shell script parses first 2 characters = AU > jamf policy -trigger BindAU (assigns to AU OU).

EXAMPLE 2: Bind HOMECOMPUTER1 to AD > shell script parses first 2 characters = HO = no match > shell script parses first 4 characters = HOME > jamf policy -trigger BindHOME (assigns to HOME OU).

6 REPLIES 6

davidacland
Honored Contributor II

To avoid having loads of separate policies, I would probably go for putting all the logic into the script. The basic idea would be:

read computername and use cut to get first two characters:

code=$(hostname | cut -c-2)

(theres a bunch of commands that can get the hostname, computer name, localhost name etc so you just need to pick the one that suits your needs best).

The next bit would be a bit trickier and depend on how many OUs you want to search against. You could use something like

match=$(echo $code | grep -c -E 'AU|BC|DE|FG')

. This would compare the result of $code with the possible OUs and return an integer for the number of matches. You then do an

if [ $match -ne 0 ]; then...

bind using dsconfigad with the -ou option, specifying $code in the binding command. If there isn't a match you can continue to get the full 4 characters with the same logic.

If you have a lot more OUs to compare against you may need to use dscl or ldapsearch to compare the $code value with a list of possible matches but if there isn't too many, grep would do the job.

This approach would let you have a single script that you run on all Macs and it programatically binds to the correct OU.

spraguga
Contributor

@JAMF_noob][/url You can also do this using Smart Groups. For "au" create a Smart Group with a Criteria of Computer Name like "au%" without the quotes . This will find any computers starting with au, Au, aU, or AU. Then create the Directory Bind policy for AU scoped to the Smart Group. Then just create another Smart Group and Policy for the other locations.

calumhunter
Valued Contributor

Could you also not scope via network segments? That way you don't even have to rely on computer names.

mm2270
Legendary Contributor III

Assuming you want to actually go ahead with scripting this and not use the suggestions of Smart Groups and/or Network Segments, are the "AUCOMPUTER1" and "HOMECOMPUTER1" examples you provided examples of actual computer names or were they purely examples? What I'm asking is, is the term "computer" or something consistent like that always part of the name that comes right after the region code?

mm2270
Legendary Contributor III

Ugh. Double post

mscottblake
Valued Contributor

I wrote a script that does pretty much this exactly. You can find it at https://github.com/MScottBlake/mac_scripts/tree/master/bindMachineToActiveDirectory. In my environment, we take the first 5 or 6 characters and decide on the OU. You would need to modify accordingly, but I think this should help.

The cool thing is that the script does all the heavy lifting, you don't need to do anything fancy with your scoping or smart groups. Just have the machine run the script, and it will bind to the OU of your choice.