Now that we’ve covered using dscl to create a group, let’s look at using dseditgroup to do the same thing. In the previous example we created a group called Local Admins or ladmins for short. First let’s read that group’s information. To do so, run dseditgroup followed by the operation, which can be read, create, delete, edit or checkmember as the operations (verbs). The -o is optional, so :
dseditgroup -o read ladmins
Or the following has the same output:
dseditgroup read ladmins
In the case of a namespace collision between two ladmins in two directory services then the one listed highest in the Search Policy would be displayed. The
dseditgroup create -n /Local/Default -r “Local Admins2” ladmins2
Now read the group you just created and you’ll notice that it has a GeneratedUID and a PrimaryGroupID even though one was not specified. Let’s say you wanted to manually assign the PrimaryGroupID so you could hide a group; you could do so with a -i parameter and not that many want to you could also use the -g option to manually provide a GeneratedUID. Other parameters include -u and -P for placing the username and password into the command (ie – if you’re creating groups in LDAP), -a if you want to use the group name as a parameter rather than just trail the command with it, -n to define the Directory Domain node (ie – /LDAPv3/MYDOMAIN vs. /Local/Default vs. /var/Hidden), if you wanted to place keywords or comments then use the -k or -c respectively and encase them in doublequotes (“).
I’m not in love with how you edit memberships, but here goes:
dseditgroup -o edit -n /Local/Default -a cedge -t user ladmins
dseditgroup -o edit -n /Local/Default -a staff -t group ladmins
Which would have put a group called staff into the ladmins group (noted by the NestedGroups attribute).
To verify membership, use the checkmember verb (insert witty Beavis and Butthead remark here;). If su’d the following command is likely to report back with the fact that no, root has not been added to the group; otherwise it will look at your currently logged in account:
dseditgroup -o checkmember ladmins
dseditgroup -o checkmember -m cedge ladmins
Now finally, since no one likes a messy Marvin, to delete our test group:
dseditgroup -o delete -n /Local/Default ladmins2