Posted on 08-08-2016 08:34 AM
Hi all
Thought i would share this as i have always wanted to look up AD group membership without having to touch AD on a Windows machine.
This script is an example of how i made this check in Self Service.
It uses CocoaDialog for the magic bits and you would need to customize it for your own environment
#!/bin/bash
# ENVIRONMENT VARIABLES
# CocoaDialog Path
if [ -f /usr/sbin/CocoaDialog.app/Contents/MacOS/CocoaDialog ]; then
CD="/usr/sbin/CocoaDialog.app/Contents/MacOS/CocoaDialog"
elif [ -f /usr/local/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog ]; then
CD="/usr/local/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog"
else
jamf policy -trigger CD
sleep 60
if [ -f /usr/local/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog ]; then
CD="/usr/local/bin/CocoaDialog.app/Contents/MacOS/CocoaDialog"
fi
fi
# Domain
DOMAIN='your domain eg mydomain'
NETWORK='Your network to ping eg mycorp.com'
######## DO NOT MODIFY BELOW THIS LINE #######
# If machine is not on the network just quit
if ! ping -c 1 -t 5 "$NETWORK" &>/dev/null ;then
echo "not connected to $NETWORK"
/usr/bin/osascript -e 'try
tell application "SystemUIServer"
display dialog "Machine is not on the network, please connect machine to the corporate network." giving up after 10
end
activate application (path to frontmost application as text)
end try'
exit 1
# If machine is on the network carry on
elif ping -c 1 -t 5 "$NETWORK" &>/dev/null ;then
echo "connected to $NETWORK"
# Prompt for username input using Cocoa Dialog
rv1=($($CD standard-inputbox --title "Username" --no-newline --informative-text "Enter the username of the user to look up group membership"))
# Check there was an entry
USERNAME=${rv1[1]}
if [ "$rv1" == "1" ]; then echo "User said OK"
elif [ "$rv1" == "2" ]; then echo "Cancelling" exit
exit 1
fi
# create a named pipe
rm -f /tmp/hpipe
mkfifo /tmp/hpipe
# create a background job which takes its input from the named pipe
$CD progressbar --indeterminate --title "Looking Up Information" --text "Please wait..." < /tmp/hpipe &
# associate file descriptor 3 with that pipe and send a character through the pipe
exec 3<> /tmp/hpipe
echo -n . >&3
# Carry out the query
query=$(dscl /Active Directory/$DOMAIN/All Domains read /Users/$USERNAME dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d')
# pause 5 seconds
sleep 5
# now turn off the progress bar by closing file descriptor 3
exec 3>&-
# wait for all background jobs to exit
wait
rm -f /tmp/hpipe
$CD textbox --title "$USERNAME AD Group Membership" --text "$query" --button1 "OK" ‑‑timeout 900
fi