Skip to content

Instantly share code, notes, and snippets.

@jbaker10
Last active June 27, 2017 15:17
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save jbaker10/904c1cf16f1de2d9403f9499e18f9268 to your computer and use it in GitHub Desktop.
Takes AD admin users and puts them in the Power Users group to perform certain functions
#!/bin/bash
#################################################################################
# #
# Script performs the following: #
# 1) Create Power User Group & add AD Standard Users #
# 2) Modify /etc/auth to give powerusers group specified rights #
# 3) Enforce Compliance # #
# AA Accounts are exempted # #
# Version 1.1, 2013-08-12 #
# Version 1.2, 2013-11-19 #
# Version 1.3, 2015-8-10 #
# Adds 10.9 Support # #
# David Hester && Tom Burgin && Jeremy Baker #
# #
#################################################################################
## Fill in your domain below as it appears on a bound macOS
domain="/Active Directory/DOMAIN/DOMAIN.COM"
findADUsers(){
ADUserArray=()
for e in `dscl . list /Users | grep -v "_" | grep -v "aa" | grep -v "netboot"`;
do
if [ "`dscl . -read /Users/$e OriginalNodeName | tail -1 | sed 's/^[ \t]*//'`" == "$domain" ];
then
ADUserArray+=($e)
fi
done
echo $ADUserArray;
}
## Adding a function for logging purposes. We only care about logging those that WERE admins but will no longer be
## This was due to when we pushed this package out inadvertently and didn't have a good way of knowing who was an admin before
findADAdminUsers(){
## Declare our array
ADAdminArray=()
## Check for real users on the system, excluding built-in accounts, AA accounts, or netboot accounts (for servers)
for e in `dscl . list /Users | grep -v "_" | grep -v "aa" | grep -v "netboot"`;
do
## Check that the real users are also AD users, to exclude ones like "root" or "nobody"
if [ "`dscl . -read /Users/$e OriginalNodeName | tail -1 | sed 's/^[ \t]*//'`" == "$domain" ]; then
## We want to spit out the admins group here, but not include the AA accounts. When including the AA accounts, the string comparison in the if statement was returning wrong values.
## It was printing out false-positives. As in "bakerjr" would be counted as an admin in the result if "aabakerjr" was in the admins group
admins=`dscl . -read /Groups/admin GroupMembership | grep -v "aa"`
if [[ $admins == *$e* ]]; then
## Add the user that met all 3 conditions above to the ADAdminArray array
ADAdminArray+=($e)
fi
fi
done
## This echo is important because it is what is returned to AbMan to be used as the information item return value
echo $ADAdminArray > /private/var/log/powerusers.log;
}
createPowerUsersGroup(){
# Create Power Users Group
if [ `dscl . -list Groups | grep powerusers` == "powerusers" ];
then
echo "[+] Power Users Group exist";
else
echo "[+] Creating Power Users Group"
dseditgroup -o create -r "Power Users" powerusers;
fi
#add admin group
dseditgroup -o edit -a admin -t group powerusers;
}
addADUsersToPowerUsers(){
# Move AD Users into Power User Group
for e in ${ADUserArray[@]};
do
echo "[$e] = Active Directory User. Moving to Power Users Group";
dseditgroup -o edit -a $e -t users powerusers;
dseditgroup -o edit -a $e -t users _lpadmin;
done
}
etcAuthSettings(){
#* PLIST BUDDY
PB="/usr/libexec/PlistBuddy"
##set the rights
## allow everyone access to system preferences itself
sudo $PB -c "set rights:system.preferences:group powerusers" "/etc/authorization"
##restart, changing from "evaluate-mechanisms" to "user"
sudo $PB -c "add rights:system.restart:class string user" "/etc/authorization"
sudo $PB -c "set rights:system.restart:class user" "/etc/authorization"
sudo $PB -c "add rights:system.restart:allow-root bool true" "/etc/authorization"
sudo $PB -c "set rights:system.restart:allow-root true" "/etc/authorization"
sudo $PB -c "add rights:system.restart:group string everyone" "/etc/authorization"
sudo $PB -c "set rights:system.restart:group everyone" "/etc/authorization"
sudo $PB -c "add rights:system.restart:shared bool false" "/etc/authorization"
sudo $PB -c "set rights:system.restart:shared false" "/etc/authorization"
sudo $PB -c "delete rights:system.restart:mechanisms" "/etc/authorization"
##shutdown, changing from "evaluate-mechanisms" to "user"
sudo $PB -c "add rights:system.shutdown:class string user" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:class user" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:allow-root bool true" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:allow-root true" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:group string everyone" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:group everyone" "/etc/authorization"
sudo $PB -c "add rights:system.shutdown:shared bool false" "/etc/authorization"
sudo $PB -c "set rights:system.shutdown:shared false" "/etc/authorization"
sudo $PB -c "delete rights:system.shutdown:mechanisms" "/etc/authorization"
##timezone, need to add on 10.5 and later, everyone
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone dict" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:class string allow" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:class allow" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:comment string Timezones" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:comment Timezones" "/etc/authorization"
sudo $PB -c "add rights:system.preferences.dateandtime.changetimezone:shared bool true" "/etc/authorization"
sudo $PB -c "set rights:system.preferences.dateandtime.changetimezone:shared true" "/etc/authorization"
## print operator, everyone
sudo $PB -c "set rights:system.print.operator:group everyone" "/etc/authorization"
## printer prefpane, powerusers. requires additional right
sudo $PB -c "set rights:system.preferences.printing:group powerusers" "/etc/authorization"
## add group 'powerusers' to 'lpadmin' group
sudo dseditgroup -o edit -a powerusers -t group lpadmin
## software update, everyone, requires additional right
sudo $PB -c "set rights:system.preferences.softwareupdate:group everyone" "/etc/authorization"
sudo $PB -c 'Set :rights:system.install.apple-software:rule allow' "/etc/authorization"
sudo $PB -c 'set rights:com.apple.SoftwareUpdate.scan:rule allow' "/etc/authorization"
## network preferences, powerusers, requires additional right
sudo $PB -c "set rights:system.preferences.network:group powerusers" "/etc/authorization"
sudo $PB -c 'set rights:system.services.systemconfiguration.network:rule allow' "/etc/authorization"
## energy saver, powerusers
sudo $PB -c "set rights:system.preferences.energysaver:group powerusers" "/etc/authorization"
## time machine, powerusers
sudo $PB -c "set rights:system.preferences.timemachine:group powerusers" "/etc/authorization"
#+ Permissions
sudo chown root:wheel "/etc/authorization"
sudo chmod 644 "/etc/authorization"
}
authDBSettings(){
## PLIST BUDDY
PB="/usr/libexec/PlistBuddy"
## Make dir for temp plists
mkdir /private/var/tmp/authDBSettings/
## allow everyone access to system preferences itself
security authorizationdb read system.preferences > /private/var/tmp/authDBSettings/system.preferences.plist
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.plist
sudo security authorizationdb write system.preferences < /private/var/tmp/authDBSettings/system.preferences.plist
## restart, changing from "evaluate-mechanisms" to "user"
security authorizationdb read system.restart > /private/var/tmp/authDBSettings/system.restart.plist
sudo $PB -c "set class user" /private/var/tmp/authDBSettings/system.restart.plist
sudo $PB -c "add allow-root bool YES" /private/var/tmp/authDBSettings/system.restart.plist
sudo $PB -c "add group string everyone" /private/var/tmp/authDBSettings/system.restart.plist
sudo $PB -c "set shared bool NO" /private/var/tmp/authDBSettings/system.restart.plist
sudo $PB -c "delete mechanisms array" /private/var/tmp/authDBSettings/system.restart.plist
sudo security authorizationdb write system.restart < /private/var/tmp/authDBSettings/system.restart.plist
## shutdown, changing from "evaluate-mechanisms" to "user"
security authorizationdb read system.shutdown > /private/var/tmp/authDBSettings/system.shutdown.plist
sudo $PB -c "set class user" /private/var/tmp/authDBSettings/system.shutdown.plist
sudo $PB -c "add allow-root bool YES" /private/var/tmp/authDBSettings/system.shutdown.plist
sudo $PB -c "add group string everyone" /private/var/tmp/authDBSettings/system.shutdown.plist
sudo $PB -c "set shared bool NO" /private/var/tmp/authDBSettings/system.shutdown.plist
sudo $PB -c "delete mechanisms array" /private/var/tmp/authDBSettings/system.shutdown.plist
sudo security authorizationdb write system.shutdown < /private/var/tmp/authDBSettings/system.shutdown.plist
## timezone, need to add on 10.5 and later, everyone
sudo $PB -c "add class string allow" /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist >/dev/null 2>&1
sudo $PB -c "add comment string Timezones" /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist
sudo $PB -c "add shared bool YES" /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist
sudo security authorizationdb write system.preferences.dateandtime.changetimezone < /private/var/tmp/authDBSettings/system.preferences.dateandtime.changetimezone.plist
## print operator, everyone
security authorizationdb read system.print.operator > /private/var/tmp/authDBSettings/print.operator.plist
sudo $PB -c "set group everyone" /private/var/tmp/authDBSettings/print.operator.plist
sudo security authorizationdb write system.print.operator < /private/var/tmp/authDBSettings/print.operator.plist
## printer prefpane, powerusers. requires additional right
security authorizationdb read system.preferences.printing > /private/var/tmp/authDBSettings/system.preferences.printing.plist
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.printing.plist
sudo security authorizationdb write system.preferences.printing < /private/var/tmp/authDBSettings/system.preferences.printing.plist
## add group 'powerusers' to 'lpadmin' group
sudo dseditgroup -o edit -a powerusers -t group lpadmin
## software update, everyone, requires additional right
security authorizationdb read system.preferences.softwareupdate > /private/var/tmp/authDBSettings/system.preferences.softwareupdate.plist
sudo $PB -c "set group everyone" /private/var/tmp/authDBSettings/system.preferences.softwareupdate.plist
sudo security authorizationdb write system.preferences.softwareupdate < /private/var/tmp/authDBSettings/system.preferences.softwareupdate.plist
security authorizationdb read system.install.apple-software > /private/var/tmp/authDBSettings/system.install.apple-software.plist
sudo $PB -c "set rule:0 allow" /private/var/tmp/authDBSettings/system.install.apple-software.plist
sudo security authorization write system.install.apple-software < /private/var/tmp/authDBSettings/system.install.apple-software.plist
security authorizationdb read com.apple.SoftwareUpdate.scan > /private/var/tmp/authDBSettings/com.apple.SoftwareUpdate.scan.plist
sudo $PB -c "set rule:0 allow" /private/var/tmp/authDBSettings/com.apple.SoftwareUpdate.scan.plist
sudo security authorizationdb write com.apple.SoftwareUpdate.scan < /private/var/tmp/authDBSettings/com.apple.SoftwareUpdate.scan.plist
## network preferences, powerusers, requires additional right
security authorizationdb read system.preferences.network > /private/var/tmp/authDBSettings/system.preferences.network.plist
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.network.plist
sudo security authorizationdb write system.preferences.network < /private/var/tmp/authDBSettings/system.preferences.network.plist
security authorizationdb read system.services.systemconfiguration.network > /private/var/tmp/authDBSettings/system.services.systemconfiguration.network.plist
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.services.systemconfiguration.network.plist
sudo security authorizationdb write system.services.systemconfiguration.network < /private/var/tmp/authDBSettings/system.services.systemconfiguration.network.plist
## energy saver, powerusers
security authorizationdb read system.preferences.energysaver > /private/var/tmp/authDBSettings/system.preferences.energysaver.plist
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.energysaver.plist
sudo security authorizationdb write system.preferences.energysaver < /private/var/tmp/authDBSettings/system.preferences.energysaver.plist
## time machine, powerusers
security authorizationdb read system.preferences.timemachine > /private/var/tmp/authDBSettings/system.preferences.timemachine.plist
sudo $PB -c "set group powerusers" /private/var/tmp/authDBSettings/system.preferences.timemachine.plist
sudo security authorizationdb write system.preferences.timemachine < /private/var/tmp/authDBSettings/system.preferences.timemachine.plist
## Remove temp plists
rm -rf /private/var/tmp/authDBSettings
}
removeADUsersFromAdmin(){
# Remove AD Users from the Local Admin Groups
for e in ${ADUserArray[@]};
do
echo "[$e] = Active Directory User. Removing from Local Admin Group";
dseditgroup -o edit -d $e -t users admin;
dseditgroup -o edit -d $e -t users _appserveradm;
dseditgroup -o edit -d $e -t users _appserverusr;
done
}
## Adding a function to add the power users group to the com.apple.access_ssh plist in order to allow them SSH access
## Without this, only Admins were allowed to SSH in and we had customers who needed SSH access
enablePowerUsersSSH(){
/usr/sbin/dseditgroup -o edit -a powerusers -t group com.apple.access_ssh
}
main()
{
if [[ $EUID -ne 0 ]]; then
echo "You must run this script as root";
exit 1;
fi
########## Run Methods ###########
createPowerUsersGroup;
addADUsersToPowerUsers;
#if [[ `sw_vers -productVersion` | sed 's/\.//g' | cut -b 3` < "9" ]];
if [[ `sw_vers -productVersion` < "10.9"* ]];
then
echo "Less than 10.9, checking if 10.10 or above"
if [[ `sw_vers -productVersion` != "10.1"* ]];
then
echo "[+] The current OS is OS X Mountain Lion or older. Using /etc/auth methods"
etcAuthSettings 2> /dev/null;
else
echo "[+] The current OS is OS X Mavericks or greater. Using authDB methods"
authDBSettings; #2> /dev/null;
fi
else
echo "[+] The current OS is OS X Mavericks or greater. Using authDB methods"
authDBSettings; #2> /dev/null;
fi
removeADUsersFromAdmin;
enablePowerUsersSSH;
############ Here ###############
}
findADUsers 2> /dev/null;
findADAdminUsers;
main;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment