Jamf Nation Community

jeremygould · ‎02-15-2014

When enrolling a computer I have the need to automatically add the device to an AD security group after the AD bind. I attempted to use dseditgroup for this but it does not seem to recognize computers (even though there is a "-t computer" option). Has anyone done this or know of a way to automate this via a script as part of the enrollment process?

Thanks.

colonelpanic · ‎02-17-2014

@jeremygould][/url, I ran into the same requirement as you (adding macs to a group after them being bound). In order for the computers to receive machine certificates, they needed to be added to a group that had access to the template on the CA. In my load script, I have something called ADtool running a few seconds after the bind completes (to let the DCs replicate). Here is the syntax:

[```
/usr/local/bin/adtool -H ldaps://xxx.xxx.org -D CN=XXX,CN=Users,DC=XXX,DC=XXX,DC=ORG -w PASSWORD -b DC=XXX,DC=XXX,DC=ORG groupadduserGROUP $(hostname)
```

If you read the man page for adtool, you'll see what all the flags do (basically I just specify the ad admin user, their password, the group, and then $hostname since the object is the same name as the hostname.

you can find adtool here:
http://gp2x.org/adtool/

Hope that helps.

View solution in original post

bentoms · ‎02-15-2014

Hi @jeremygould,

Is this for every Mac? & can you elaborate io why?

Could you maybe bind the macs to a specific OU & then apply the policy to that.

The dscl command may be able to add to the AD group, but you'd need to pass the usernames & password via script do a user with rights to amend the membership. (Which isn't advised, but you maybe able to hash the password).

jeremygould · ‎02-15-2014

Every MAC...we are deploying machine certs from Active Directory and our Security team wants to use a different certificate template for MACs than our Windows devices. They need an AD security group with these devices to assign rights to. Windows certificate template is using the built in group "Domain Computers" so I need to come up with a way to automatically add devices to a separate Security Group.

Played with dscl command as well but ran into some roadblocks.

acdesigntech · ‎02-16-2014

+1 on applying the policy to an OU and binding to that ou

bentoms · ‎02-16-2014

@jeremygould, I'm guessing this is a Windows Network Policy Server? (NPS).

I had a look, & looks like you cannot specify an OU to constrain a policy to: http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx.aspx)

There are ways to expand NPS to look at OU's or ad groups to have members based on OU.

BUT, if the NPS policy is applying to all those that are part of the "Domain Computers" group. Then the policy will apply to the Macs too, during the bind process a computer object is made & that will be a members of the "Domain Computers" group.

So it should work.. Why do they require separate groups for the macs? They should be able to use the same NPS as the Win clients. (Ours do).

Hope that helps.

jeremygould · ‎02-16-2014

Thanks bentoms...I agree. Using the same cert as our Windows devices would be my preference. Our Security team though wanted to setup separate reporting for MAC devices by using a separate certificate. Based on everything I am hearing and reading I don't think it is worth the work to figure out an automated way to get Security Group assignments. I think I will push back on them. Appreciate the response.

bentoms · ‎02-16-2014

@jeremygould no worries.

If the NPS is scoped to Domain Computers... You'll not be able to segregate.

If the Certs are based on the macs name, you could get the to marry up the Certs to the macs records in the JSS.

OR, if you have 1 OU for the macs... They could use the computer objects to marry up against NPS.

BUT, what are they needing reporting on?

bentoms · ‎02-16-2014

@jeremygould, oh last thing... You could create a NPS just for the macs.

colonelpanic · ‎02-17-2014

@jeremygould][/url, I ran into the same requirement as you (adding macs to a group after them being bound). In order for the computers to receive machine certificates, they needed to be added to a group that had access to the template on the CA. In my load script, I have something called ADtool running a few seconds after the bind completes (to let the DCs replicate). Here is the syntax:

[```
/usr/local/bin/adtool -H ldaps://xxx.xxx.org -D CN=XXX,CN=Users,DC=XXX,DC=XXX,DC=ORG -w PASSWORD -b DC=XXX,DC=XXX,DC=ORG groupadduserGROUP $(hostname)
```

If you read the man page for adtool, you'll see what all the flags do (basically I just specify the ad admin user, their password, the group, and then $hostname since the object is the same name as the hostname.

you can find adtool here:
http://gp2x.org/adtool/

Hope that helps.

bentoms · ‎02-17-2014

@colonelpanic, nice solution.

But if @jeremygould's NPS is deploying Certs to members of "Domain Computers", then the mac clients will get the same Certs as the windows clients.

To change, both the Windows & Mac Certs would need to be scoped to separate AD groups, which only contain the relevant computers.

colonelpanic · ‎02-17-2014

You are correct. That is the way I have everything set up. That part of the decision was out of my control, I just was able to make do with what I had by using adtool.

bentoms · ‎02-17-2014

@colonelpanic, don't we all!

Bookmarked the tool as could come in handy. Thanks!

jeremygould · ‎02-17-2014

@colonelpanic, very cool...this is what I was looking for. Thanks so much!

colonelpanic · ‎02-18-2014

You're welcome! It took me a longer than I'm willing to admit to find that tool and crete a working solution, so I'm happy to help you get there quicker.

luke_j_nelson · ‎02-18-2014

I was looking into this just last week. OS X has a command built in that I use... ldapmodify... here's the syntax that I use:

ldapmodify -H ldap://xxx.xxx.com -f /Users/Shared/[filename.ldif] -D username -w password -x -c -v

For this, it reads from the ldif file for instructions, so I have this at the beginning of the script:

echo dn: CN=[security_group],OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx > /Users/Shared/[filename.ldif]
echo changetype: modify >> /Users/Shared/[filename.ldif]
echo add: member >> /Users/Shared/[filename.ldif]
echo member: CN=[computername],OU=xxx,OU=xxx,DC=xxx,DC=xxxl,DC=xxx,DC=com >> /Users/Shared/[filename.ldif]

I fill the username, password, and computername with Applescript dialogs.

CasperSally · ‎04-14-2015

@colonelpanic thanks for posting this - was looking for something that did this exactly today.

Only thing I can't figure out is how to get it working if the account with permissions to add the group membership resides in an OU with spaces in name. Anyone have ideas on that? If I put the user account in CN=USERS, or OU=TEST it works, but on OU=TEST GROUP the script errors out.

sanaumann · ‎01-21-2016

FWIW, we have a script that runs against AD every 30 minutes. It adds a specific security group to any machine that has attributes "Mac OS X" in Operating System Version . . . this security group gives that machine permissions to the Mac cert template which it then can request from the CA.

Jamf Nation Community

Active Directory - Add computer name to security group after AD bind