Help

Reading Cached AD Groups Off Network

tkimpton
Valued Contributor II

Posted on ‎10-16-2016 05:06 PM

Hi all

I have always had problems with getting remote cached managed mobile account users Active Directory group membership reporting back to the jss.

If your users hardly ever connect to the corporate network it can be a nightmare. Ideally an ldapsearch command to an ldap server on the dmz is more ideal, but this is useful if you either don’t have one or can’t get it working.

When querying the groups the output will show in hexidecimal and is not humanly readable

e.g. dscl . read /Users/yourusername cached_groups

With the help from Apple i have managed to come up with this script which converts the hexadecimal to readable form and outputs it in to the users library home directory.

You can then use an extension attribute to get the data from the file.

Here is what it looks like

example

Here is the script, you will need to customize this for your domain.

Hope this helps people out

#!/bin/bash


# This is to get the logged in used cached AD groups. This is using Apples' built in plugin and is best to be used in a policy once a week.

# The purpose of this is to read mobile cached account groups off network and report back to the JSS with an extension attribute

### ENVIRONMENT VARIABLES ###

# Get the currently logged in user information #
ConsoleUser=$(ls -l /dev/console | cut -d " " -f4)

query=$(dscl . read /Users/${ConsoleUser} OriginalAuthenticationAuthority | cut -d ';' -f 5)

# Domain
# where XXX is your domain
Domain=XXX

### DO NOT MODIFY BELOW THIS LINE ###

# check is a cached mobile account
if [[ $query = "$Domain" ]]; then

# Remove the previous file if it exists
if [ -f /Users/${ConsoleUser}/Library/ADgroups.txt ]; then
rm -rf /Users/${ConsoleUser}/Library/ADgroups.txt
fi

# get hex groups
dscl . read /Users/${ConsoleUser} cached_groups | sed '1d' >/tmp/hexgroups.txt

# Make the directory
if [ ! -d /tmp/staging ]; then
mkdir -p /tmp/staging
chflags hidden /tmp/staging
fi

# get up to 500 lines
for i in {1..500}; do
sed -n "${i}"p /tmp/hexgroups.txt | xxd -r -p >/tmp/staging/staginggroup$i.plist
done

# Remove the zero files
find /tmp/staging/ -size  0 -print0 |xargs -0 rm


FILES=/tmp/staging/*
for i in $FILES
do
defaults read $i dsAttrTypeStandard:RealName | tr -d '(,),"," "' | tail -n2 | head -n1 >>/Users/${ConsoleUser}/Library/ADgroups.txt
done


# Clean up
if [ -d  /tmp/staging ]; then
rm -rf /tmp/staging
fi

if [ -f /tmp/hexgroups.txt ]; then
rm -rf /tmp/hexgroups.txt
fi

fi
0 Kudos
0 REPLIES 0