Comments on: Add a user to the admin group via command line 2.0 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/ Trials and Tribulations of an OS X Administrator Thu, 24 Dec 2009 15:11:20 +0000 http://wordpress.com/ hourly 1 By: GregN http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-2696 GregN Sun, 29 Apr 2007 01:23:32 +0000 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-2696 We don't use Open Directory - just the RFC2307 "Unix" schema on a third-party LDAP server, which is also used to authenticate Linux clients and for most other authentication needs - so we just have the simple POSIX-style groups, not the OD extended-style groups. -Greg We don’t use Open Directory – just the RFC2307 “Unix” schema on a third-party LDAP server, which is also used to authenticate Linux clients and for most other authentication needs – so we just have the simple POSIX-style groups, not the OD extended-style groups.

-Greg

]]> By: JLG http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-2521 JLG Mon, 23 Apr 2007 06:48:12 +0000 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-2521 I should also verify drewbono's statement that removing a user from a group requires the reverse of both steps--remove the username from the group's GroupMembership attribute, and remove the user's GeneratedUID from the group's GroupMembers attribute. On the managed client issue--the client's authorization is determined at login time, so if you change the authorization, you'll probably have to reboot the clients in order for it to take effect. I should also verify drewbono’s statement that removing a user from a group requires the reverse of both steps–remove the username from the group’s GroupMembership attribute, and remove the user’s GeneratedUID from the group’s GroupMembers attribute.

On the managed client issue–the client’s authorization is determined at login time, so if you change the authorization, you’ll probably have to reboot the clients in order for it to take effect.

]]> By: JLG http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-2520 JLG Mon, 23 Apr 2007 06:44:29 +0000 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-2520 You're missing one thing: the "new" Open Directory group format, which uses GeneratedUID instead of (or in addition to) the username. So, in order to add a user to a group, you need to add the username to the GroupMembership attribute, and add the user's GeneratedUID to the group's GroupMembers attribute. dscl /LDAPv3/127.0.0.1 append /Groups/Users GroupMembership fred dscl /LDAPv3/127.0.0.1 read /Users/fred GeneratedUID dscl /LDAPv3/127.0.0.1 append /Groups/Users GroupMembers [fred's GeneratedUID] You’re missing one thing: the “new” Open Directory group format, which uses GeneratedUID instead of (or in addition to) the username. So, in order to add a user to a group, you need to add the username to the GroupMembership attribute, and add the user’s GeneratedUID to the group’s GroupMembers attribute.

dscl /LDAPv3/127.0.0.1 append /Groups/Users GroupMembership fred
dscl /LDAPv3/127.0.0.1 read /Users/fred GeneratedUID
dscl /LDAPv3/127.0.0.1 append /Groups/Users GroupMembers [fred's GeneratedUID]

]]> By: drewbono http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-1631 drewbono Fri, 02 Feb 2007 01:19:12 +0000 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-1631 Unfortunately, using the delete command didn't work for me in the OD in OS X Server. It did delete the user from the GroupMembership attribute, but apparently OSX Server doesn't use that for much because the user still showed the deleted group in its group list and the group still listed the user. The problem lies within the GroupMembers attribute. In addition to deleting the user from the GroupMembership attrib, one must also delete it from the GroupMembers attribute. The user's GeneratedUID is stored there, so there's an additional step necessary when scripting. So, for example, to remove the user greg from the group freakinsmartadmins: dscl /LDAPv3/127.0.0.1 read /Users/greg GeneratedUID dscl /LDAPv3/127.0.0.1 delete /Groups/freakinsmartadmins GroupMembers F370CB6D-8E38-4B42-9769-00EB876B755B (that's all supposed to be on one line and this is the GeneratedUID given from the first command) I haven't tested this but in script form it should be something like this: guid=`dscl /LDAPv3/127.0.0.1 read /Users/greg GeneratedUID | cut -d ' ' -f2` dscl /LDAPv3/127.0.0.1 delete /Groups/freakinsmartadmins GroupMembers $guid I have the additional problem of the directory having to be dirtied somehow before the managed clients see that they're no longer a part of the group. Anyone know a command to "dirty" the MCX Prefs on the server? Unfortunately, using the delete command didn’t work for me in the OD in OS X Server. It did delete the user from the GroupMembership attribute, but apparently OSX Server doesn’t use that for much because the user still showed the deleted group in its group list and the group still listed the user.

The problem lies within the GroupMembers attribute. In addition to deleting the user from the GroupMembership attrib, one must also delete it from the GroupMembers attribute. The user’s GeneratedUID is stored there, so there’s an additional step necessary when scripting. So, for example, to remove the user greg from the group freakinsmartadmins:

dscl /LDAPv3/127.0.0.1 read /Users/greg GeneratedUID
dscl /LDAPv3/127.0.0.1 delete /Groups/freakinsmartadmins GroupMembers F370CB6D-8E38-4B42-9769-00EB876B755B (that’s all supposed to be on one line and this is the GeneratedUID given from the first command)

I haven’t tested this but in script form it should be something like this:
guid=`dscl /LDAPv3/127.0.0.1 read /Users/greg GeneratedUID | cut -d ‘ ‘ -f2`
dscl /LDAPv3/127.0.0.1 delete /Groups/freakinsmartadmins GroupMembers $guid

I have the additional problem of the directory having to be dirtied somehow before the managed clients see that they’re no longer a part of the group. Anyone know a command to “dirty” the MCX Prefs on the server?

]]> By: Axel http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-795 Axel Sun, 10 Dec 2006 23:11:35 +0000 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-795 wait. /me dumb. I take that last comment back... wait. /me dumb. I take that last comment back…

]]> By: Axel http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-794 Axel Sun, 10 Dec 2006 23:10:39 +0000 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-794 <code>dscl .</code> does not work for me. I have to use <code>dscl localhost</code> instead. dscl . does not work for me. I have to use dscl localhost instead.

]]> By: David M. O'Rourke http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-624 David M. O'Rourke Fri, 17 Nov 2006 23:30:19 +0000 http://managingosx.wordpress.com/2006/09/15/add-a-user-to-the-admin-group-via-command-line-20/#comment-624 pleases upgrade to using dseditgroup - it will allow you add users to group records without having to have internal knowledge of the group schema. man dseditgroup for more informaiton. pleases upgrade to using dseditgroup – it will allow you add users to group records without having to have internal knowledge of the group schema.

man dseditgroup for more informaiton.

]]>