Last active
June 27, 2017 15:17
-
-
Save jbaker10/904c1cf16f1de2d9403f9499e18f9268 to your computer and use it in GitHub Desktop.
Takes AD admin users and puts them in the Power Users group to perform certain functions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
################################################################################# | |
# # | |
# Script performs the following: # | |
# 1) Create Power User Group & add AD Standard Users # | |
# 2) Modify /etc/auth to give powerusers group specified rights # | |
# 3) Enforce Compliance # # | |
# AA Accounts are exempted # # | |
# Version 1.1, 2013-08-12 # | |
# Version 1.2, 2013-11-19 # | |
# Version 1.3, 2015-8-10 # | |
# Adds 10.9 Support # # | |
# David Hester && Tom Burgin && Jeremy Baker # | |
# # | |
################################################################################# | |
## Fill in your domain below as it appears on a bound macOS | |
domain="/Active Directory/DOMAIN/DOMAIN.COM" | |
findADUsers(){ | |
ADUserArray=() | |
for e in `dscl . list /Users | grep -v "_" | grep -v "aa" | grep -v "netboot"`; | |
do | |
if [ "`dscl . -read /Users/$e OriginalNodeName | tail -1 | sed 's/^[ \t]*//'`" == "$domain" ]; | |
then | |
ADUserArray+=($e) | |
fi | |
done | |
echo $ADUserArray; | |
} | |
## Adding a function for logging purposes. We only care about logging those that WERE admins but will no longer be | |
## This was due to when we pushed this package out inadvertently and didn't have a good way of knowing who was an admin before | |
findADAdminUsers(){ | |
## Declare our array | |
ADAdminArray=() | |
## Check for real users on the system, excluding built-in accounts, AA accounts, or netboot accounts (for servers) | |
for e in `dscl . list /Users | grep -v "_" | grep -v "aa" | grep -v "netboot"`; | |
do | |
## Check that the real users are also AD users, to exclude ones like "root" or "nobody" | |
if [ "`dscl . -read /Users/$e OriginalNodeName | tail -1 | sed 's/^[ \t]*//'`" == "$domain" ]; then | |
## We want to spit out the admins group here, but not include the AA accounts. When including the AA accounts, the string comparison in the if statement was returning wrong values. | |
## It was printing out false-positives. As in "bakerjr" would be counted as an admin in the result if "aabakerjr" was in the admins group | |
admins=`dscl . -read /Groups/admin GroupMembership | grep -v "aa"` | |
if [[ $admins == *$e* ]]; then | |
## Add the user that met all 3 conditions above to the ADAdminArray array | |
ADAdminArray+=($e) | |
fi | |
fi | |
done | |
## This echo is important because it is what is returned to AbMan to be used as the information item return value | |
echo $ADAdminArray > /private/var/log/powerusers.log; | |
} | |
createPowerUsersGroup(){ | |
# Create Power Users Group | |
if [ `dscl . -list Groups | grep powerusers` == "powerusers" ]; | |
then | |
echo "[+] Power Users Group exist"; | |
else | |
echo "[+] Creating Power Users Group" | |
dseditgroup -o create -r "Power Users" powerusers; | |
fi | |
#add admin group | |
dseditgroup -o edit -a admin -t group powerusers; | |
} | |
addADUsersToPowerUsers(){ | |
# Move AD Users into Power User Group | |
for e in ${ADUserArray[@]}; | |
do | |
echo "[$e] = Active Directory User. Moving to Power Users Group"; | |
dseditgroup -o edit -a $e -t users powerusers; | |
dseditgroup -o edit -a $e -t users _lpadmin; | |
done | |
} | |
etcAuthSettings(){ | |
#* PLIST BUDDY | |
PB="/usr/libexec/PlistBuddy" | |
##set the rights | |
## allow everyone access to system preferences itself | |
sudo $PB -c "set rights:system.preferences:group powerusers" "/etc/authorization" | |
##restart, changing from "evaluate-mechanisms" to "user" | |
sudo $PB -c "add rights:system.restart:class string user" "/etc/authorization" | |
sudo $PB -c "set rights:system.restart:class user" "/etc/authorization" | |
sudo $PB -c "add rights:system.restart:allow-root bool true" "/etc/authorization" | |
sudo $PB -c "set rights:system.restart:allow-root true" "/etc/authorization" | |
sudo $PB -c "add rights:system.restart:group string everyone" "/etc/authorization" | |
sudo $PB -c "set rights:system.restart:group everyone" "/etc/authorization" | |
sudo $PB -c "add rights:system.restart:shared bool false" "/etc/authorization" | |
sudo $PB -c "set rights:system.restart:shared false" "/etc/authorization" | |
sudo $PB -c "delete rights:system.restart:mechanisms" "/etc/authorization" | |
##shutdown, changing from "evaluate-mechanisms" to "user" | |
sudo $PB -c "add rights:system.shutdown:class string user" "/etc/authorization" | |
sudo $PB -c "set rights:system.shutdown:class user" "/etc/authorization" | |
sudo $PB -c "add rights:system.shutdown:allow-root bool true" "/etc/authorization" | |
sudo $PB -c "set rights:system.shutdown:allow-root true" "/etc/authorization" | |
sudo $PB -c "add rights:system.shutdown:group string everyone" "/etc/authorization" | |
sudo $PB -c "set rights:system.shutdown:group everyone" "/etc/authorization" | |
sudo $PB -c "add rights:system.shutdown:shared bool false" "/etc/authorization" | |
sudo $PB -c "set rights:system.shutdown:shared false" "/etc/authorization" | |
sudo $PB -c "delete rights:system.shutdown:mechanisms" "/etc/authorization" | |
##timezone, need to add on 10.5 and later, everyone | |
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone dict" "/etc/authorization" | |
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:class string allow" "/etc/authorization" | |
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:class allow" "/etc/authorization" | |
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:comment string Timezones" "/etc/authorization" | |
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:comment Timezones" "/etc/authorization" | |
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:shared bool true" "/etc/authorization" | |
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:shared true" "/etc/authorization" | |
## print operator, everyone | |
sudo $PB -c "set rights:system.print.operator:group everyone" "/etc/authorization" | |
## printer prefpane, powerusers. requires additional right | |
sudo $PB -c "set rights:system.preferences.printing:group powerusers" "/etc/authorization" | |
## add group 'powerusers' to 'lpadmin' group | |
sudo dseditgroup -o edit -a powerusers -t group lpadmin | |
## software update, everyone, requires additional right | |
sudo $PB -c "set rights:system.preferences.softwareupdate:group everyone" "/etc/authorization" | |
sudo $PB -c 'Set :rights:system.install.apple-software:rule allow' "/etc/authorization" | |
sudo $PB -c 'set rights:com.apple.SoftwareUpdate.scan:rule allow' "/etc/authorization" | |
## network preferences, powerusers, requires additional right | |
sudo $PB -c "set rights:system.preferences.network:group powerusers" "/etc/authorization" | |
sudo $PB -c 'set rights:system.services.systemconfiguration.network:rule allow' "/etc/authorization" | |
## energy saver, powerusers | |
sudo $PB -c "set rights:system.preferences.energysaver:group powerusers" "/etc/authorization" | |
## time machine, powerusers | |
sudo $PB -c "set rights:system.preferences.timemachine:group powerusers" "/etc/authorization" | |
#+ Permissions | |
sudo chown root:wheel "/etc/authorization" | |
sudo chmod 644 "/etc/authorization" | |
} | |
authDBSettings(){ | |
## PLIST BUDDY | |
PB="/usr/libexec/PlistBuddy" | |
## Make dir for temp plists | |
mkdir /private/var/tmp/authDBSettings/ | |
## allow everyone access to system preferences itself | |
security authorizationdb read system.preferences > /private/var/tmp/authDBSettings/system.preferences.plist | |
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.plist | |
sudo security authorizationdb write system.preferences < /private/var/tmp/authDBSettings/system.preferences.plist | |
## restart, changing from "evaluate-mechanisms" to "user" | |
security authorizationdb read system.restart > /private/var/tmp/authDBSettings/system.restart.plist | |
sudo $PB -c "set class user" /private/var/tmp/authDBSettings/system.restart.plist | |
sudo $PB -c "add allow-root bool YES" /private/var/tmp/authDBSettings/system.restart.plist | |
sudo $PB -c "add group string everyone" /private/var/tmp/authDBSettings/system.restart.plist | |
sudo $PB -c "set shared bool NO" /private/var/tmp/authDBSettings/system.restart.plist | |
sudo $PB -c "delete mechanisms array" /private/var/tmp/authDBSettings/system.restart.plist | |
sudo security authorizationdb write system.restart < /private/var/tmp/authDBSettings/system.restart.plist | |
## shutdown, changing from "evaluate-mechanisms" to "user" | |
security authorizationdb read system.shutdown > /private/var/tmp/authDBSettings/system.shutdown.plist | |
sudo $PB -c "set class user" /private/var/tmp/authDBSettings/system.shutdown.plist | |
sudo $PB -c "add allow-root bool YES" /private/var/tmp/authDBSettings/system.shutdown.plist | |
sudo $PB -c "add group string everyone" /private/var/tmp/authDBSettings/system.shutdown.plist | |
sudo $PB -c "set shared bool NO" /private/var/tmp/authDBSettings/system.shutdown.plist | |
sudo $PB -c "delete mechanisms array" /private/var/tmp/authDBSettings/system.shutdown.plist | |
sudo security authorizationdb write system.shutdown < /private/var/tmp/authDBSettings/system.shutdown.plist | |
## timezone, need to add on 10.5 and later, everyone | |
sudo $PB -c "add class string allow" /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist >/dev/null 2>&1 | |
sudo $PB -c "add comment string Timezones" /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist | |
sudo $PB -c "add shared bool YES" /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist | |
sudo security authorizationdb write system.preferences.dateandtime.changetimezone < /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist | |
## print operator, everyone | |
security authorizationdb read system.print.operator > /private/var/tmp/authDBSettings/print.operator.plist | |
sudo $PB -c "set group everyone" /private/var/tmp/authDBSettings/print.operator.plist | |
sudo security authorizationdb write system.print.operator < /private/var/tmp/authDBSettings/print.operator.plist | |
## printer prefpane, powerusers. requires additional right | |
security authorizationdb read system.preferences.printing > /private/var/tmp/authDBSettings/system.preferences.printing.plist | |
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.printing.plist | |
sudo security authorizationdb write system.preferences.printing < /private/var/tmp/authDBSettings/system.preferences.printing.plist | |
## add group 'powerusers' to 'lpadmin' group | |
sudo dseditgroup -o edit -a powerusers -t group lpadmin | |
## software update, everyone, requires additional right | |
security authorizationdb read system.preferences.softwareupdate > /private/var/tmp/authDBSettings/system.preferences.softwareupdate.plist | |
sudo $PB -c "set group everyone" /private/var/tmp/authDBSettings/system.preferences.softwareupdate.plist | |
sudo security authorizationdb write system.preferences.softwareupdate < /private/var/tmp/authDBSettings/system.preferences.softwareupdate.plist | |
security authorizationdb read system.install.apple-software > /private/var/tmp/authDBSettings/system.install.apple-software.plist | |
sudo $PB -c "set rule:0 allow" /private/var/tmp/authDBSettings/system.install.apple-software.plist | |
sudo security authorization write system.install.apple-software < /private/var/tmp/authDBSettings/system.install.apple-software.plist | |
security authorizationdb read com.apple.SoftwareUpdate.scan > /private/var/tmp/authDBSettings/com.apple.SoftwareUpdate.scan.plist | |
sudo $PB -c "set rule:0 allow" /private/var/tmp/authDBSettings/com.apple.SoftwareUpdate.scan.plist | |
sudo security authorizationdb write com.apple.SoftwareUpdate.scan < /private/var/tmp/authDBSettings/com.apple.SoftwareUpdate.scan.plist | |
## network preferences, powerusers, requires additional right | |
security authorizationdb read system.preferences.network > /private/var/tmp/authDBSettings/system.preferences.network.plist | |
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.network.plist | |
sudo security authorizationdb write system.preferences.network < /private/var/tmp/authDBSettings/system.preferences.network.plist | |
security authorizationdb read system.services.systemconfiguration.network > /private/var/tmp/authDBSettings/system.services.systemconfiguration.network.plist | |
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.services.systemconfiguration.network.plist | |
sudo security authorizationdb write system.services.systemconfiguration.network < /private/var/tmp/authDBSettings/system.services.systemconfiguration.network.plist | |
## energy saver, powerusers | |
security authorizationdb read system.preferences.energysaver > /private/var/tmp/authDBSettings/system.preferences.energysaver.plist | |
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.energysaver.plist | |
sudo security authorizationdb write system.preferences.energysaver < /private/var/tmp/authDBSettings/system.preferences.energysaver.plist | |
## time machine, powerusers | |
security authorizationdb read system.preferences.timemachine > /private/var/tmp/authDBSettings/system.preferences.timemachine.plist | |
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.timemachine.plist | |
sudo security authorizationdb write system.preferences.timemachine < /private/var/tmp/authDBSettings/system.preferences.timemachine.plist | |
## Remove temp plists | |
rm -rf /private/var/tmp/authDBSettings | |
} | |
removeADUsersFromAdmin(){ | |
# Remove AD Users from the Local Admin Groups | |
for e in ${ADUserArray[@]}; | |
do | |
echo "[$e] = Active Directory User. Removing from Local Admin Group"; | |
dseditgroup -o edit -d $e -t users admin; | |
dseditgroup -o edit -d $e -t users _appserveradm; | |
dseditgroup -o edit -d $e -t users _appserverusr; | |
done | |
} | |
## Adding a function to add the power users group to the com.apple.access_ssh plist in order to allow them SSH access | |
## Without this, only Admins were allowed to SSH in and we had customers who needed SSH access | |
enablePowerUsersSSH(){ | |
/usr/sbin/dseditgroup -o edit -a powerusers -t group com.apple.access_ssh | |
} | |
main() | |
{ | |
if [[ $EUID -ne 0 ]]; then | |
echo "You must run this script as root"; | |
exit 1; | |
fi | |
########## Run Methods ########### | |
createPowerUsersGroup; | |
addADUsersToPowerUsers; | |
#if [[ `sw_vers -productVersion` | sed 's/\.//g' | cut -b 3` < "9" ]]; | |
if [[ `sw_vers -productVersion` < "10.9"* ]]; | |
then | |
echo "Less than 10.9, checking if 10.10 or above" | |
if [[ `sw_vers -productVersion` != "10.1"* ]]; | |
then | |
echo "[+] The current OS is OS X Mountain Lion or older. Using /etc/auth methods" | |
etcAuthSettings 2> /dev/null; | |
else | |
echo "[+] The current OS is OS X Mavericks or greater. Using authDB methods" | |
authDBSettings; #2> /dev/null; | |
fi | |
else | |
echo "[+] The current OS is OS X Mavericks or greater. Using authDB methods" | |
authDBSettings; #2> /dev/null; | |
fi | |
removeADUsersFromAdmin; | |
enablePowerUsersSSH; | |
############ Here ############### | |
} | |
findADUsers 2> /dev/null; | |
findADAdminUsers; | |
main; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment