Add a user to the admin group via command line 2.0

UPDATE: this post has been superseded by this one: Version 3.0

Here’s the way to add a user to the admin group using dscl, which is recommended going forward, replacing niutil:

Adding a user:
dscl . append /Groups/admin GroupMembership gneagle

Removing a user:
dscl . delete /Groups/admin GroupMembership gneagle

Reading the membership of the admin group:
dscl . read /Groups/admin GroupMembership

Presumably this will work OK with Leopard. We’ll see…

Add a user to the admin group via command line 2.0

9 thoughts on “Add a user to the admin group via command line 2.0

  1. David M. O'Rourke says:

    pleases upgrade to using dseditgroup – it will allow you add users to group records without having to have internal knowledge of the group schema.

    man dseditgroup for more informaiton.

  2. drewbono says:

    Unfortunately, using the delete command didn’t work for me in the OD in OS X Server. It did delete the user from the GroupMembership attribute, but apparently OSX Server doesn’t use that for much because the user still showed the deleted group in its group list and the group still listed the user.

    The problem lies within the GroupMembers attribute. In addition to deleting the user from the GroupMembership attrib, one must also delete it from the GroupMembers attribute. The user’s GeneratedUID is stored there, so there’s an additional step necessary when scripting. So, for example, to remove the user greg from the group freakinsmartadmins:

    dscl /LDAPv3/ read /Users/greg GeneratedUID
    dscl /LDAPv3/ delete /Groups/freakinsmartadmins GroupMembers F370CB6D-8E38-4B42-9769-00EB876B755B (that’s all supposed to be on one line and this is the GeneratedUID given from the first command)

    I haven’t tested this but in script form it should be something like this:
    guid=`dscl /LDAPv3/ read /Users/greg GeneratedUID | cut -d ‘ ‘ -f2`
    dscl /LDAPv3/ delete /Groups/freakinsmartadmins GroupMembers $guid

    I have the additional problem of the directory having to be dirtied somehow before the managed clients see that they’re no longer a part of the group. Anyone know a command to “dirty” the MCX Prefs on the server?

  3. JLG says:

    You’re missing one thing: the “new” Open Directory group format, which uses GeneratedUID instead of (or in addition to) the username. So, in order to add a user to a group, you need to add the username to the GroupMembership attribute, and add the user’s GeneratedUID to the group’s GroupMembers attribute.

    dscl /LDAPv3/ append /Groups/Users GroupMembership fred
    dscl /LDAPv3/ read /Users/fred GeneratedUID
    dscl /LDAPv3/ append /Groups/Users GroupMembers [fred’s GeneratedUID]

  4. JLG says:

    I should also verify drewbono’s statement that removing a user from a group requires the reverse of both steps–remove the username from the group’s GroupMembership attribute, and remove the user’s GeneratedUID from the group’s GroupMembers attribute.

    On the managed client issue–the client’s authorization is determined at login time, so if you change the authorization, you’ll probably have to reboot the clients in order for it to take effect.

  5. We don’t use Open Directory – just the RFC2307 “Unix” schema on a third-party LDAP server, which is also used to authenticate Linux clients and for most other authentication needs – so we just have the simple POSIX-style groups, not the OD extended-style groups.


  6. Using dseditgroup is a good approach if you are adding a user to a group via the command line.

    One great feature of dseditgroup is that it will check that the user actually exists in the directory prior to adding them to the group.

    Post protected by LBackup :

Comments are closed.