Jamf Nation Community

Hi @mm2270. When I run that i do see GeneratedUID's as the members:

sAttrTypeStandard:NestedGroups -
        ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050
        A06D9608-01A4-4F94-A5FD-F0C168A75726
dsAttrTypeStandard:GroupMembers -
        33F89AC1-5EE3-4C65-B5A5-C71F6AE41742
        492DB218-342E-4269-95EE-9F21F7C3EB82

What i'm looking for is a script that pulls the GroupMembers, NestedGroups, etc and then converts to a human-readable output. Not just for local users/groups, but for AD users/groups that may be in there. I've seen one like that in the past, but didn't bookmark and no amount of googling is helping me find it again.

I haven't got a script to hand but I think its something like dscl . -read /Groups/com.apple.access_ssh GroupMembership

@davidacland That's weird...on one of my systems it works, but another says "No such key: GroupMembership"

That might be one of these reasons:

• On one of the Macs doesn't have any users in that group
• It's a different version of OS X and the attribute name changed

Would either of these apply?

But dscl . -read /Groups/com.apple.access_ssh GroupMembership isn't going to list the NestedGroup membership information. It will show user accounts in that group, but not any nested groups, as far as I can tell.

I don't have the com.apple.access_ssh group on my Mac, but if I substitute it with the local "admin" group, it will show all accounts (AD + local) that are part of the group, but I happen to know there is a nested AD group that is mapped to the local admin group that it does not list. Even if it did, it would probably only list the GeneratedUID and not a human readable name.
Unfortunately, getting an accurate picture on group membership on OS X can be tricky. Its a little bit of a mess because of inheritance, nested groups from directory services, system generated membership and so on.

OK, it just occurred to me that some of the posts here already provided the answer, but they need to be paired together. Try the following script. I can't test it too effectively, so not sure how well it will work, but I tested it against our local admin group and it returned member names as well as the AD nested group name(s)

#!/bin/bash

groupname="admin"

## Get group member names if present, send to array
groupMembers+=($(dscl . read /Groups/$groupname GroupMembership 2>/dev/null | tr ' ' '
' | sed '1d'))

## Get the NestedGroup value if present, send to array
nestedGroupMembers+=($(dscl . read /Groups/$groupname NestedGroups 2>/dev/null | tr ' ' '
' | sed '1d'))

## If nestedGroupMembers array is not empty, read each item,
## check to see if its a local group or domain group and get membership info
## Add anything found into the original groupMembers array
if [[ "${nestedGroupMembers[@]}" != "" ]]; then
    while read GUID; do
        if [[ "$GUID" == "ABCDEF"* ]]; then
            nestedGroupName=$(dscl . search /Groups GeneratedUID "$GUID" | tr '[	]' '
' | head -1)
            groupMembers+=("$nestedGroupName")
        else
            nestedGroupName=$(dscl "/Active Directory/DOMAIN/All Domains" search /Groups GeneratedUID "$GUID" | tr '[	]' '
' | head -1)
            groupMembers+=("$nestedGroupName")
        fi
    done < <(printf '%s
' "${nestedGroupMembers[@]}")
fi

echo "<result>$(printf '%s
' "${groupMembers[@]}")</result>"

Change the group name up top to com.apple.access_ssh or whatever you want to pull info for, and also the "DOMAIN" in the 3rd dscl command searching against AD. Of course, this will only work if the Mac it runs on is joined to AD and is in range of your DCs. You can't use dscl -search against the local domain to read back a domain based nested groups details, so searching AD seems to be the only way.