Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

More Group Management with dseditgroup

Now that we’ve covered using dscl to create a group, let’s look at using dseditgroup to do the same thing. In the previous example we created a group called Local Admins or ladmins for short. First let’s read that group’s information. To do so, run dseditgroup followed by the operation, which can be read, create, delete, edit or checkmember as the operations (verbs). The -o is optional, so :

dseditgroup -o read ladmins

Or the following has the same output:

dseditgroup read ladmins

In the case of a namespace collision between two ladmins in two directory services then the one listed highest in the Search Policy would be displayed. The

dseditgroup create -n /Local/Default -r “Local Admins2” ladmins2

Now read the group you just created and you’ll notice that it has a GeneratedUID and a PrimaryGroupID even though one was not specified. Let’s say you wanted to manually assign the PrimaryGroupID so you could hide a group; you could do so with a -i parameter and not that many want to you could also use the -g option to manually provide a GeneratedUID. Other parameters include -u and -P for placing the username and password into the command (ie – if you’re creating groups in LDAP), -a if you want to use the group name as a parameter rather than just trail the command with it, -n to define the Directory Domain node (ie – /LDAPv3/MYDOMAIN vs. /Local/Default vs. /var/Hidden), if you wanted to place keywords or comments then use the -k or -c respectively and encase them in doublequotes (“).

I’m not in love with how you edit memberships, but here goes:

dseditgroup -o edit -n /Local/Default -a cedge -t user ladmins

In the above command we defined the node we were editing with the -n followed by the user we were adding to the group with the -a and then the -t for the type of object we’re adding into the group, which is listed last. The reason that you have to put the -t with user in there is because we could just as easily have said:
dseditgroup -o edit -n /Local/Default -a staff -t group ladmins

Which would have put a group called staff into the ladmins group (noted by the NestedGroups attribute).

To verify membership, use the checkmember verb (insert witty Beavis and Butthead remark here;). If su’d the following command is likely to report back with the fact that no, root has not been added to the group; otherwise it will look at your currently logged in account:

dseditgroup -o checkmember ladmins

But you can check and see whether my account is a member of your ladmins group with the -m parameter on the command:
dseditgroup -o checkmember -m cedge ladmins

Now finally, since no one likes a messy Marvin, to delete our test group:

dseditgroup -o delete -n /LDAPv3/ldap.company.com -u myusername -P
mypassword extragroup

dseditgroup -o delete -n /Local/Default ladmins2