UPDATE: this post has been superseded by this one: Version 3.0
Here’s the way to add a user to the admin group using dscl, which is recommended going forward, replacing niutil:
Adding a user:
dscl . append /Groups/admin GroupMembership gneagle
Removing a user:
dscl . delete /Groups/admin GroupMembership gneagle
Reading the membership of the admin group:
dscl . read /Groups/admin GroupMembership
Presumably this will work OK with Leopard. We’ll see…
Managing OS X 
pleases upgrade to using dseditgroup – it will allow you add users to group records without having to have internal knowledge of the group schema.
man dseditgroup for more informaiton.
dscl .does not work for me. I have to usedscl localhostinstead.wait. /me dumb. I take that last comment back…
Unfortunately, using the delete command didn’t work for me in the OD in OS X Server. It did delete the user from the GroupMembership attribute, but apparently OSX Server doesn’t use that for much because the user still showed the deleted group in its group list and the group still listed the user.
The problem lies within the GroupMembers attribute. In addition to deleting the user from the GroupMembership attrib, one must also delete it from the GroupMembers attribute. The user’s GeneratedUID is stored there, so there’s an additional step necessary when scripting. So, for example, to remove the user greg from the group freakinsmartadmins:
dscl /LDAPv3/127.0.0.1 read /Users/greg GeneratedUID
dscl /LDAPv3/127.0.0.1 delete /Groups/freakinsmartadmins GroupMembers F370CB6D-8E38-4B42-9769-00EB876B755B (that’s all supposed to be on one line and this is the GeneratedUID given from the first command)
I haven’t tested this but in script form it should be something like this:
guid=`dscl /LDAPv3/127.0.0.1 read /Users/greg GeneratedUID | cut -d ‘ ‘ -f2`
dscl /LDAPv3/127.0.0.1 delete /Groups/freakinsmartadmins GroupMembers $guid
I have the additional problem of the directory having to be dirtied somehow before the managed clients see that they’re no longer a part of the group. Anyone know a command to “dirty” the MCX Prefs on the server?
You’re missing one thing: the “new” Open Directory group format, which uses GeneratedUID instead of (or in addition to) the username. So, in order to add a user to a group, you need to add the username to the GroupMembership attribute, and add the user’s GeneratedUID to the group’s GroupMembers attribute.
dscl /LDAPv3/127.0.0.1 append /Groups/Users GroupMembership fred
dscl /LDAPv3/127.0.0.1 read /Users/fred GeneratedUID
dscl /LDAPv3/127.0.0.1 append /Groups/Users GroupMembers [fred’s GeneratedUID]
I should also verify drewbono’s statement that removing a user from a group requires the reverse of both steps–remove the username from the group’s GroupMembership attribute, and remove the user’s GeneratedUID from the group’s GroupMembers attribute.
On the managed client issue–the client’s authorization is determined at login time, so if you change the authorization, you’ll probably have to reboot the clients in order for it to take effect.
We don’t use Open Directory – just the RFC2307 “Unix” schema on a third-party LDAP server, which is also used to authenticate Linux clients and for most other authentication needs – so we just have the simple POSIX-style groups, not the OD extended-style groups.
-Greg
[…] comes with a nod to Managing OSX This was written by James Kyle. Posted on Tuesday, December 16, 2008, at 1:53 pm. Filed under […]
Using dseditgroup is a good approach if you are adding a user to a group via the command line.
One great feature of dseditgroup is that it will check that the user actually exists in the directory prior to adding them to the group.
—–
Post protected by LBackup :
http://www.lbackup.org