Writing to Active Directory ?

Lotusshaney
Contributor II

Hi All,

Is it possible using DSCL or dseditgrouo to edit group membership in AD from the Mac ?

My AD account has the rights I need but when I try it just says failed to make changed.

Anyone done it ?

12 REPLIES 12

mm2270
Legendary Contributor III

Although technically dscl can write into Active Directory, I wouldn't say its the right tool for the job. AD structures are often complex, and dscl may just not be able to handle changing those attributes. On the other hand, if you post what you tried, we may be able to see that some syntax isn't correct, and hence the error.

Also, can you elaborate on what it is you're looking to do? There may be another approach to the problem other than writing back to AD.

Lotusshaney
Contributor II

Im looking at a simple script to remove a list of users from one AD group and then add them to another AD group.

Example of what I have tried

dseditgroup -o edit -d username -t user -u aduserwithrights "domaingroupname"
Please enter user password:
Could not remove member from group.

Dan

mm2270
Legendary Contributor III

@Lotusshaney I can't really do any appreciable testing, but the immediate issue I see is that you don't seem to be specifying AD in your script. If you don't direct either dscl or dseditgroup to the AD domain node, it will, by default, operate on the local node. Use the -n flag in dseditgroup to specify the AD node.
I don't know for sure the correct syntax to use with dseditgroup, but assuming for a moment that its the same as with dscl, it would be something like "/Active Directory/DOMAIN/All Domains"
So try:

dseditgroup -n "/Active Directory/DOMAIN/All Domains" -o edit -d username -t user -u aduserwithrights "domaingroupname"

EDIT: Actually looking at the man page for dseditgroup, it states this for the -n flag:

-n nodename Directory Service node name such as /LDAPv3/ldap.company.com and whose default value is the local node. "." can also be used to specify the local node.

So maybe try the format it shows in the man page instead.

Lotusshaney
Contributor II

Yeah, tried with the -n and get the same result

Dseditgroup -n "/Active Directory/domain/All Domains" -o edit -d usertodelete -t user -u userwithadrights "domaingroup"
Please enter user password:
Could not remove member from group.

Dan

mm2270
Legendary Contributor III

Sorry to hear that didn't work. Not sure I can offer any more assistance. As I mentioned, I don't have any real experience writing back to AD from a scripted interface since its just not something I do or have a need for. I do seem to recall it coming up on a much older thread and someone posted the method they used for writing back values into AD, but maybe with dscl. Maybe you can do some searching to see if you can locate that thread.

Lotusshaney
Contributor II

Check this Apple article out

https://support.apple.com/en-us/HT202269

"The dscl or dseditgroup command-line tools can be used to view Active Directory group membership, but not to edit group membership."

Bugger !

brock_walters
Contributor

Hello to all -

http://gp2x.org/adtool/

adtool Active Directory administration utility for Unix adtool is a unix command line utility for Active Directory administration. Features include user and group creation, deletion, modification, password setting and directory query and search capabilities.

This a pretty cool binary utility that you can install on an OS X computer that may accomplish what you are trying to do. Use it at your own risk, of course, but I have known several people that have used it successfully in production environments & in the limited testing I've done with it seems to work well. Good luck!

Lotusshaney
Contributor II

Thanks, that works a treat.

Dan

el2493
Contributor III

I know this discussion is old, but is anyone currently using adtools (or some other method) to write to AD? I am trying to figure out a way to automatically create a computer object in AD when a computer is enrolled/bound to AD and to put the computer object in a specific OU. Looking at the adtools documentation (http://gp2x.org/adtool/usage.html) it looks like it could be done using the computercreate operation, but it looks a little complicated (the installation instructions are for Linux and I'm not sure if they would be the same on a Mac).

If no one is using adtools, I was wondering if anyone else had a different way to do this, possibly using the API?

mm2270
Legendary Contributor III

@el2493 I'm curious why you would need to create an AD computer object this way. When a Mac is bound/joined to AD, it should be creating that AD object automatically, and much more reliably. And you can specify the OU the Mac should be joined to in the binding settings. This is assuming the service account you use for the binding has permissions to do so, which it should.

Can you elaborate on why you need to make computer AD objects this way if you're doing binding of the Macs anyhow?

el2493
Contributor III

@mm2270 thanks for your fast response! When I look into it deeper I do see that for most computers you are correct, though we do have at least one computer that didn't automatically create a computer object. I'm going to assume that computer just needs to be re-bound.

mm2270
Legendary Contributor III

Yeah, I would try rejoining it. You might have to remove any local AD bind info, which gets stored in a plist on the machine. The dsconfigad tool can help you remove it, forcefully if needed, and then try rebinding it. (Or use Directory Utility) It should create an object in AD. If it doesn't, then something else is going on there.