Jamf Nation Community

nethers · ‎08-15-2013

I'm working on a bash script designed to enable Macintosh (10.8) users that are given admin permissions from Active Directory, to retain their Admin credentials when they're not authenticating to AD (ie: took a work computer home and working offline). By default you lose Admin permissions if you can't authenticate... theoretically this script should add users from specified AD groups and make them local admins.

I'm just running into one error near the end when it attempts to append the users from the groups, instead of doing so and exiting the script, it's stating, "No group name provided" three times. I'm a bash novice, so here's to some assistance! I've changed our AD domain to mytfa.org to keep it similar but inconspicuous as the word "example" when mirrororing "example.com" was thoroughly confusing in the various connotations of this script.

#!/bin/bash
#
#
# Script to detect if a user is a member of the admin group. If not, and they are not a student, it will add them.
#
#
# say "script started"

# Check if user is already an admin IsAdmin=$(dseditgroup -o checkmember -n . -u $1 admin)
# say "Is Admin variable assigned"
# echo "$IsAdmin" if [[ $IsAdmin == yes* ]] then
# echo "No further action needed"
# say "user is an admin" exit else # All TFA check... -n is not null -o comparison for or $1 stores username
# say "All TFA check" ATmember=$(dseditgroup -n /Active Directory/MYTFA/mytfa.org -o checkmember -u $1 All TFA)
# Tech Team check
# say "Tech Team check" TTmember=$(dseditgroup -n /Active Directory/MYTFA/mytfa.org -o checkmember -u $1 Tech Team)
# Administrators check
# say "Administrators check" AAmember=$(dseditgroup -n /Active Directory/MYTFA/mytfa.org -o checkmember -u $1 Administrators)

# Adds to local admin if user is a member of All TFA, Tech Team, or Administrators if [[ $ATmember == yes* ]] || [[ $TTmember == yes* ]] || [[ $AAmember == yes* ]] then
# say "User is a member"
# echo "User is a member of All TFA, Tech Team, or Administrators." sudo dscl . append /Groups/admin GroupMembership $1 fi

fi

exit

Using 10.8.4 as root also tried as AD Admin account. Original source ( http://pastebin.com/86hjq4Hi )

mm2270 · ‎08-15-2013

Don't use dscl -append to add a user into a group. dscl is not intelligent in how it handles this and can add multiple instances of a user account into the group. Believe me, I've seen it, and it can take multiple steps to clean it out properly later if you want to remove that user from the admin group. Apple recommends using dseditgroup to add users to any groups now over dscl. You're already using dseditgroup to check group membership so stick with it when adding users into the local admin group.

/usr/sbin/dseditgroup -o edit -a $username -t user admin

Secondly, I don't think you should be using $1 to store the username since Casper Suite already reserves this for its own parameters when it runs any shell scripts. This could be part of the errors you're seeing.
$1, $2 and $3 are reserved for mount point, computer name and username, respectively. the $3 (username) will only work with login/logout policies or with Self Service though so don't use that unless you're sure that's the only time the script will be run.

View solution in original post

Matt · ‎08-15-2013

I whipped this up a few years ago with some help on here.

#!/bin/bash

# Add Network Admin to Local Admin Group
# author: matt.lee@fox.com 

# Declaring Variables

realname=`dscl . read /Users/$3 RealName | sed -e '$!d' -e 's/^[ 	]*//'`
adgroupname="MACADMINS"
localgroup=`dscl localhost read /Local/Default/Groups/admin GroupMembership | tr " " "
" | grep "$3"`
adgroup=`dscl "/Active Directory/yourdomain" -read /Groups/$adgroupname member | grep -o "$realname"`

# Checking AD Group Membership 

# If User is in AD Admin Group but Not Local Admin

if [[ "$realname" == "$adgroup" && "$3" != "$localgroup" ]]; then
        dscl . append /Groups/admin GroupMembership $3
            echo $3 "successfully added"
   exit

# If User is in AD Admin Group and is a Local Admin

elif [[ "$realname" == "$adgroup" && "$3" == "$localgroup" ]]; then
        echo $3 "is already a Local Admin"
    exit

# If User is not in the AD  Group

elif [[ "$realname" != "$adgroup" && "$3" == "$localgroup" ]]; then
        echo $3 "is a Local Admin Only"
    exit

elif [[ "$realname" != "$adgroup" ]]; then
        echo $3 "is not a Network Admin"
    exit



fi

wyip · ‎08-15-2013

You could also use dseditgroup instead of dscl:

/usr/sbin/dseditgroup -o edit -a $user -t user admin

$user is the username of whoever you want to add to the local admin group

mm2270 · ‎08-15-2013

Don't use dscl -append to add a user into a group. dscl is not intelligent in how it handles this and can add multiple instances of a user account into the group. Believe me, I've seen it, and it can take multiple steps to clean it out properly later if you want to remove that user from the admin group. Apple recommends using dseditgroup to add users to any groups now over dscl. You're already using dseditgroup to check group membership so stick with it when adding users into the local admin group.

/usr/sbin/dseditgroup -o edit -a $username -t user admin

Secondly, I don't think you should be using $1 to store the username since Casper Suite already reserves this for its own parameters when it runs any shell scripts. This could be part of the errors you're seeing.
$1, $2 and $3 are reserved for mount point, computer name and username, respectively. the $3 (username) will only work with login/logout policies or with Self Service though so don't use that unless you're sure that's the only time the script will be run.

Matt · ‎08-15-2013

Interesting the script I have been running has been pretty flawless and our Active Directory is shambles! Maybe I should upgrade my script since when I wrote it dscl was the advice I got.

Matt · ‎08-15-2013

Interesting the script I have been running has been pretty flawless and our Active Directory is shambles! Maybe I should upgrade my script since when I wrote it dscl was the advice I got.

mm2270 · ‎08-15-2013

At one time everyone was told dscl was the way to do it, and I'm not saying it doesn't work anymore. And dscl is still very useful for a lot of things, especially reading back data from a directory structure. But as I said, I've seen cases of looking at the local admin group with dscl . read /Groups/admin and seeing 5 or 6 instances of the same user account in there because of dscl . -append operations. It doesn't check to see if the account is already in the group. It just blindly appends it in the way you told it to.
Apple started recommending dseditgroup about 2 or more years ago I believe, maybe even earlier.

Matt · ‎08-15-2013

Time to update! :D

nethers · ‎08-15-2013

Will you post your update here? We're going to rebuild ours based on yours, but had also been considering what would happen if the script ran multiple times (ie: duplicates and any issues that would occur).

The following suggestion:

/usr/sbin/dseditgroup -o edit -a $username -t user admin

Will username pull current username or can I use $3 in place of $username if ran from Self-Service?

nethers · ‎08-15-2013

The at login with $3 in place of $username worked like a charm. Thank you for the assistance.

Will there be any issue with running this 'at login' 'ongoing'? If I'm reading this correctly dseditgroup is "more intelligent" and will not create duplicate records, yes?

mm2270 · ‎08-15-2013

It shouldn't be a problem. Your script appears to already be checking if the account it grabbed at login is in the local admin group and exiting if its already there, so you should be doubly safe with that and using dseditgroup :)

Matt · ‎08-16-2013

elif [[ "$realname" == "$adgroup" && "$3" == "$localgroup" ]]; then
        echo $3 "is already a Local Admin"
    exit

Thats the output I tried to use as my safety net.

Jamf Nation Community

Bash/sh: Where does the group name go? (Active Directory/Mac)