Set Directory Utility - Allow administration by:

rharrington
New Contributor II

Does anyone know of a way to set a specific Active Directory group in the "Allow administration by:" section in the directory utility?

9 REPLIES 9

mm2270
Legendary Contributor III

Can you clarify your question? Are you talking about with a built in JSS binding configuration? Or are you talking about a script? Most importantly, are the Macs you want this to apply to already joined to AD, or are you talking about setting this at the time of joining?

As a start, open up Terminal and do man dsconfigad to pull up the man(ual) page for the dsconfigad tool.

hkabik
Valued Contributor

dsconfigad -groups "group 1,group 2,Domaingroup 3, etc..."

Note, that overwrites the list not appends. So you need to include your complete list of administrative groups.

mikeyg
New Contributor II

I'm currently using this which works in a post boot terminal but when running it within a Casper Imaging config, it seems run prior to the AD bind. Anyone have any ideas for this?

sudo dsconfigad -groups “IT Workstation Support”

rharrington
New Contributor II

A script is probably what I am looking for. All of our computers are bound to AD already, I just want to add our IT support AD group to the "Allow administration by" field.

Josh_Smith
Contributor III

This is the script I created for this purpose. I just sanitized it so I haven't tested it in the form I am posting, but I think it's right.

It is designed to run in a policy or with Casper Remote, you would specify the group you want to add in the $4 variable (Script parameters). It will add to whatever existing admin groups are specified in the binding settings.

Yes that is Grep and Awk and Sed (oh My!) on the same line. We're not in Kansas anymore.

#!/bin/bash
#Purpose: This script will add the AD group specified when the script is run to the AD binding.

#Example:
#Entering "AD Group Name"(aka $4) as: AllTheAdmins
#Would add this to the binding: YourDomainAllTheAdmins

#########
#Variables
#########
#Change these:
DOMAIN="YourDomain"
YOURLOGFILE="/path/to/your/log/file.log"

#Don't change these:
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="$DOMAIN\$4"

#########
#SCRIPT
#########

dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`

if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
    then
        echo "Admin Groups configured successfully." >> "$YOURLOGFILE"
        exit 0
    else
        echo "Unable to set admin groups." >> "$YOURLOGFILE"
        exit 1
fi

d8b06350409b4ade82cd92e622c6c5f4

Sorry to dig this up from the archives, but I have a novice question: which log file path should I be using where it shows YOURLOGFILE="/path/to/your/log/file.log" in the script? Is this referring to the Jamf.log file? The Directory Service log file? 

rharrington
New Contributor II

Thanks for the help! This works 95% of the way. I am able to add the group that I want although it also adds another group called "not set". Any idea why that is showing up?

Josh_Smith
Contributor III

I think that is the default output of this command if you don't have groups already configured for admin access:

dsconfigad -show | grep "Allowed admin groups"

We set admin groups when we bind, then use this script to add more groups later. The behavior of the command is to overwrite existing groups. If you are using this on a machine with no admin groups configured then you could add some logic to check the $CURRENTGROUPS variable, or just change the command from:

dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"

to:

dsconfigad -groups "$NEWGROUP"

DanJ_LRSFC
Contributor III

Quick question, will adding an Active Directory group to the allowed admin groups in this way also allow users in that group to access and control the Mac using Apple Remote Desktop?

I've noticed that there seems to be something resetting ARD access permissions on Macs, is there a setting or policy somewhere in the JSS that does this?