Elevating Local account permissions via a security group on AD bind

Hello.

In our environment we are moving away from binding devices to Onprem AD except for a few small use cases where it is still currently required for Onprem related services such as WIFI, Printing and a couple of Network drives that are slowly being phased out.

One of the tasks I am trying to get working is to elevate the status from Standard to Admin of any AD based Security Group inhabiting Local Admin account created on a Mac.
So my process is as follows;

* User logs into Mac via Jamf Connect authenticating to Azure via their User account
* User account is created locally as Standard (not dependent on onprem AD at all).

* Device has an AD object, is already bound to AD during setup and device is connected to domain via ethernet, wifi or VPN having direct sight to the AD.
* A script is run that unbinds and then rebinds the device but including the name of the security group that the elevated user account is also a member of that utilises the device hostname in the security group naming convention. This security group member should (and is) granted local admin on the device.

My issue is that this seems to work once and then not again on each subsequent device.
I will include the relevant script snippets below but it is very basic unbind rebind dsconfigad stuff.

// Unbind from AD without destroying the object

sudo dsconfigad -leave -u [account] -p [password] -force



// Rebind to existing object using variable for Hostname

sudo dsconfigad -add [domain] -computer $(Hostname) -u [account] -p [pass] -ou "OU=this,OU=is,OU=my,DC=AD,DC=domain,DC=org" -groups "local-$(Hostname)-Admins, [other global admin groups]" -force

In the future we will be moving to using AAD once we have writeback enabled (currently disabled) but this is one method I am trying to get working for now. I do have another method using a script that just adds the user into the admin group but I wanted to try and get this working and am a bit frustrated that it works and the stops working. Just interested if theres a really obvious reason someone can point out.

Page 1 / 1

I also tried to use Jamf built in AD bind incase that had any additional magic that might get this working but same result. Also in case it wasn't clear, unbind rebind works fine, its just the local account elevation to Admin that I can't get working consistently.

Okay I think I worked out a potential reason that might explain on a broqder scale why it wouldn't work it but doesn't explain the one off elevated rights success.

The $(Hostname) variable seems to be added as an administrative security group rather than being replaced with the actual device hostname. I might have to initialise the variable in the script first or use a different format. I do remember this working before but it was using $hostname back then instead of $(hostname)

$(hostname) indicates a command to run, not a variable. I think you might have wanted ${hostname}, although the curly braces really shouldn’t be needed for this.

Actually, never mind. I see now what you were attempting. If it’s not working as $(hostname) then just store it in a variable at the start of the script and place the variable into the dsconfigad line later.

$(hostname) indicates a command to run, not a variable. I think you might have wanted ${hostname}, although the curly braces really shouldn’t be needed for this.

Actually, never mind. I see now what you were attempting. If it’s not working as $(hostname) then just store it in a variable at the start of the script and place the variable into the dsconfigad line later.

Thanks.

I did actually try that and also tried adding the group without needing to do an unbind/rebind but still no luck.

DeviceHostname=$(Hostname)



echo Elevating local-$DeviceHostname-Administrators security group members as Local Admin on this device...

sudo dsconfigad -domain ad.kew.org -groups "local-$DeviceHostname-Administrators"

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded