Posted on 08-17-2015 11:16 AM
All -
Looking for some help here as far as a script to add multiple AD groups to the OS X AD Plugin.
In our environment, historically, rights to numerous items are granted by adding all users to a specific AD group, this is for easier support as well as keeping track of rights and access.
Currently, in the Casper environment that I have become responsible for there is a script that runs at build time after AD binding. This does numerous things, one of which is adding our desktop techs AD group to the local admin group so that they have the rights to administer the machine.
Here is the current script:
#!/bin/sh
# Purpose: Set AD plugin options after binding
# Enable mobile accounts
dsconfigad -mobile enable >> /var/log/jamf.log
# Disable mobile account creation confirmation
dsconfigad -mobileconfirm disable >> /var/log/jamf.log
# Force local home folder
dsconfigad -localhome enable >> /var/log/jamf.log
# Disable UNC network home paths
dsconfigad -useuncpath disable >> /var/log/jamf.log
# Add DOMAINDesktopAdmins to administrator group
dsconfigad -groups DOMAIN\DesktopAdmins >> /var/log/jamf.log
# Allow authentication from any Domain in the Forest
dsconfigad -alldomains enable >> /var/log/jamf.log
# Allow packet signing
dsconfigad -packetsign allow >> /var/log/jamf.log
# Allow packet encryption
dsconfigad -packetencrypt allow >> /var/log/jamf.log
I am hoping to add additional AD groups to this script. However, when I have added them, either as a whole new #section or just under the current #section it never adds the second group. When I run the script to add another AD group outside of the build it also does not work correctly.
Can anyone post something here (or tell me whats wrong) that will actually add the second (or third/fourth/fifth, etc...) AD group to the plugin at build time as well as something to run on machines already built so that they will get additional AD groups as well? Make sense?
This works perfectly for the single group addition but never for another group. Would love to alter the script at build time to add these groups, but also have something that works to add additional groups at any time in the future.
As always, any help greatly appreciated.
Solved! Go to Solution.
Posted on 08-17-2015 11:37 AM
Hi @MTurnerFMRCO The problem is that the dsconfigad -groups command overwrites any previous entries. So during imaging, you could modify your script by adding all of the groups at once:
group1="DOMAIN\DesktopAdmins"
group2="DOMAIN\ServerAdmins"
group3="DOMAIN\SecurityTeam"
# Add DOMAIN administrator groups
dsconfigad -groups "$group1,$group2,$group3" >> /var/log/jamf.log
I use the following script to add groups individually to existing machines without changing what was already in place. I just specify the security group I want to add in Parameter 4 in either a Policy or Casper Remote....if you use this frequently you could modify it to add more that 1 at a time..
#!/bin/bash
##################
#Script information
##################
#Script: Add_Admin_Group_1.0
#Purpose: This script will add the AD group specified in Parameter 4 when the script is run to the AD binding admin groups.
#########
#Variables
#########
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
#New Group is defined in casper script Parameter 4
NEWGROUP="domain\$4"
#########
#SCRIPT
#########
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "Admin Groups configured successfully." >> yourlogfile
exit 0
else
echo "Unable to set admin groups." >> yourlogfile
exit 1
fi
Posted on 08-17-2015 11:37 AM
dsconfigad -groups "DOMAINDesktopAdmins,DOMAINSecondGroup,DOMAINThirdGroup"
should work
Posted on 08-18-2015 05:13 AM
I didn't even put the DOMAINpart in it.
sudo dsconfigad -groups ADMINS,WORKSTATIONSADMINS,GROUPTHREEHERE
Posted on 08-17-2015 11:37 AM
Hi @MTurnerFMRCO The problem is that the dsconfigad -groups command overwrites any previous entries. So during imaging, you could modify your script by adding all of the groups at once:
group1="DOMAIN\DesktopAdmins"
group2="DOMAIN\ServerAdmins"
group3="DOMAIN\SecurityTeam"
# Add DOMAIN administrator groups
dsconfigad -groups "$group1,$group2,$group3" >> /var/log/jamf.log
I use the following script to add groups individually to existing machines without changing what was already in place. I just specify the security group I want to add in Parameter 4 in either a Policy or Casper Remote....if you use this frequently you could modify it to add more that 1 at a time..
#!/bin/bash
##################
#Script information
##################
#Script: Add_Admin_Group_1.0
#Purpose: This script will add the AD group specified in Parameter 4 when the script is run to the AD binding admin groups.
#########
#Variables
#########
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
#New Group is defined in casper script Parameter 4
NEWGROUP="domain\$4"
#########
#SCRIPT
#########
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "Admin Groups configured successfully." >> yourlogfile
exit 0
else
echo "Unable to set admin groups." >> yourlogfile
exit 1
fi
Posted on 08-17-2015 11:37 AM
dsconfigad -groups "DOMAINDesktopAdmins,DOMAINSecondGroup,DOMAINThirdGroup"
should work
Posted on 08-18-2015 05:09 AM
Thank you both for the reply. I will test both and add details here.
Posted on 08-18-2015 05:13 AM
I didn't even put the DOMAINpart in it.
sudo dsconfigad -groups ADMINS,WORKSTATIONSADMINS,GROUPTHREEHERE