Skip to main content
Question

Show AD User Group memberships with extension attribute

  • May 5, 2014
  • 3 replies
  • 28 views
O
Forum|alt.badge.img+14

Hi..

After following intructions by Dan on this page:
https://jamfnation.jamfsoftware.com/discussion.html?id=7292

I've also seen this link and still can't get it to work:
https://jamfnation.jamfsoftware.com/discussion.html?id=6311

I've setup an EA to grab AD group membership. Works great...only on some clients. Other times if fails with the message: No such key: dsAttrTypeNative:memberOf

The trouble is that this attribute does exist for the user..and all users. I can see it in Apache Directory Studio.

the script in my EA is as follows. Anyone know what I'm doing wrong, or is there an easier to way display AD group membership for a user???

currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' ) Groups=$( dscl /Active Directory/XX/All Domains read /Users/$currUser dsAttrTypeNative:memberOf | awk -F"OU" '{ print $1 }' | sed -e 's/CN=//g;s/,$//g;1d' ) echo "<result>$Groups</result>"

    3 replies

    jhbush
    Forum|alt.badge.img+27
    • jhbush
    • Esteemed Contributor
    • May 5, 2014

    @ooshnoo it works for me. I'm not sure I would put that much data into a field though.

    O
    Forum|alt.badge.img+14
    • ooshnoo
    • Author
    • Honored Contributor
    • May 6, 2014

    I tried a different more reliable command and it worked.

    currUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' ) Groups=$( id $currUser | tr "," " " | sed -n 's/^.*(/(/p' | tr -d '()' ) echo "<result>$Groups</result>"
    B
    Forum|alt.badge.img
    • blueice03
    • New Contributor
    • March 24, 2015

    So I've tried the following:

    dscl "/Active Directory/*YOURDOMAIN*/All Domains" -read /Groups/*groupname*
 dsAttrTypeNative:member

    And I get the same No such key: dsAttrTypeNative:member error. I can access almost every other key within that group but that one. Here is what that group lists for its keys:
    dsAttrTypeNative:member;range=0-1499:
    And I can access this key directly through Directory Services.
    So I know it exists, why can't Directory Services access it via command line?

    Terms & ConditionsCookie settingsAccessibility statement