Jamf Nation Community

msnowdon · ‎07-17-2017

I have it working except for one line.

When I add groups to Allowed Admin groups in the script, I try to list 3 groups as admingroups="domain admins, enterprise admins, tier2-support" as the variable and use /usr/sbin/dsconfigad -groups $admingroups as the command. It doesnt seem to like the space in the group name because it ends up adding just "domain" in the Admin groups. Do I need another set of parentheses or brackets?

Also I was comparing results with computers that were bound during imaging by running dsconfigad -show on various computers. I noticed on existing computers that are already bound to AD, some computers have Packet signing and Packet encryption as "allow" and some have it as "disable." Now I'm not sure which option to use in my script. I'm not exactly sure what these settings do.

Thanks

davidacland · ‎07-17-2017

Try using double quotes when calling the variable, i.e. /usr/sbin/dsconfigad -groups "$admingroups"

Regarding packet signing and encryption, I would make sure you set it one way or the other across all devices so you don't end up troubleshooting sporadic issues later on. Both settings are for increased security, signing validates the authenticity of each packet as it's sent to and from the server, the other encrypts. A bit like SSL. It will work fine either way, one is just more secure.

Hope this helps :)

msnowdon · ‎07-17-2017

@davidacland Thanks, that worked.

therealmacjeezy · ‎07-17-2017

The spaces in a variable have gotten the best of me several times. The double quotes like @davidacland mentioned usually does the trick but I've had to do the escape quotes as well sometimes (e.g. /usr/sbin/dsconfigad -groups ""$admingroups"") which will output the quotes around the variable. (e.g. /usr/sbin/dsconfigad -groups "domain admins")

"Saying 'uhh..' is the human equivalent to buffering."

Jamf Nation Community

Question regarding a script to re-bind a Mac to AD