Posted on 11-25-2015 09:56 AM
Does anyone know of a way to set a specific Active Directory group in the "Allow administration by:" section in the directory utility?
Posted on 11-25-2015 10:05 AM
Can you clarify your question? Are you talking about with a built in JSS binding configuration? Or are you talking about a script? Most importantly, are the Macs you want this to apply to already joined to AD, or are you talking about setting this at the time of joining?
As a start, open up Terminal and do man dsconfigad to pull up the man(ual) page for the dsconfigad tool.
Posted on 11-25-2015 10:38 AM
dsconfigad -groups "group 1,group 2,Domaingroup 3, etc..."
Note, that overwrites the list not appends. So you need to include your complete list of administrative groups.
Posted on 11-29-2015 01:48 PM
I'm currently using this which works in a post boot terminal but when running it within a Casper Imaging config, it seems run prior to the AD bind. Anyone have any ideas for this?
sudo dsconfigad -groups “IT Workstation Support”
Posted on 11-30-2015 05:38 AM
A script is probably what I am looking for. All of our computers are bound to AD already, I just want to add our IT support AD group to the "Allow administration by" field.
Posted on 11-30-2015 06:58 AM
This is the script I created for this purpose. I just sanitized it so I haven't tested it in the form I am posting, but I think it's right.
It is designed to run in a policy or with Casper Remote, you would specify the group you want to add in the $4 variable (Script parameters). It will add to whatever existing admin groups are specified in the binding settings.
Yes that is Grep and Awk and Sed (oh My!) on the same line. We're not in Kansas anymore.
#!/bin/bash
#Purpose: This script will add the AD group specified when the script is run to the AD binding.
#Example:
#Entering "AD Group Name"(aka $4) as: AllTheAdmins
#Would add this to the binding: YourDomainAllTheAdmins
#########
#Variables
#########
#Change these:
DOMAIN="YourDomain"
YOURLOGFILE="/path/to/your/log/file.log"
#Don't change these:
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="$DOMAIN\$4"
#########
#SCRIPT
#########
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "Admin Groups configured successfully." >> "$YOURLOGFILE"
exit 0
else
echo "Unable to set admin groups." >> "$YOURLOGFILE"
exit 1
fi
Posted on 10-29-2021 10:19 AM
Sorry to dig this up from the archives, but I have a novice question: which log file path should I be using where it shows YOURLOGFILE="/path/to/your/log/file.log" in the script? Is this referring to the Jamf.log file? The Directory Service log file?
Posted on 12-14-2015 09:01 AM
Thanks for the help! This works 95% of the way. I am able to add the group that I want although it also adds another group called "not set". Any idea why that is showing up?
Posted on 12-14-2015 11:00 AM
I think that is the default output of this command if you don't have groups already configured for admin access:
dsconfigad -show | grep "Allowed admin groups"
We set admin groups when we bind, then use this script to add more groups later. The behavior of the command is to overwrite existing groups. If you are using this on a machine with no admin groups configured then you could add some logic to check the $CURRENTGROUPS variable, or just change the command from:
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
to:
dsconfigad -groups "$NEWGROUP"
Posted on 08-31-2016 05:01 AM
Quick question, will adding an Active Directory group to the allowed admin groups in this way also allow users in that group to access and control the Mac using Apple Remote Desktop?
I've noticed that there seems to be something resetting ARD access permissions on Macs, is there a setting or policy somewhere in the JSS that does this?