-
Notifications
You must be signed in to change notification settings - Fork 6
/
remote_AD_user_creation.sh
243 lines (201 loc) · 7 KB
/
remote_AD_user_creation.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
#!bin/bash
## referenced commands on https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/migrate_local_user_to_AD_domain/MigrateLocalUserToADDomainAcct.command
## This script is written by theadamcraig sourced from https://github.com/theadamcraig/jamf-scripts/
## it expects the computer to be already bound to AD with filevault enabled
## if filevault is not enabled it will run jamf policy -trigger catalina_fv
## if the computer is not bound it will run jamf policy -trigger rebind
## it will create a log file in /Users/Shared/Provisioning.log
adminUser="$4"
adminPass="$5"
enableFV2JamfTrigger="catalina_fv"
rebindJamfTrigger="rebind"
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
#########################
### SET UP LOGGING
log_file=/Users/Shared/Provisioning.log
touch $log_file
echo "Computer Provisioning Remote AD User Creation Begun" >> $log_file
Log(){
local text=$1
echo "$text" >> $log_file
}
today=`date`
Log "$today"
Log "---------------------------------"
Log " Checking Requirements"
Log "---------------------------------"
#### SET UP DISPLAY DIALOG FUNCTION
DisplayDialog(){
local dialogText="$1"
echo "$dialogText"
#echo "Display Dialog: $dialogText"
cmd="display dialog \"$dialogText\" buttons {\"Continue\"} default button 1 giving up after 180"
/bin/launchctl asuser "$loggedInUID" sudo -iu "$loggedInUser" /usr/bin/osascript -e "$cmd"
}
## verify that adminuser and pass variables are both passed to the user
if [[ -z "$adminUser" ]] || [[ -z "$adminPass" ]] ; then
DisplayDialog "either Admin User or Password is missing. Please inform Helpdesk."
exit 1
fi
## check the admin password
adminCheck=$(/usr/bin/dscl /Local/Default -authonly "$adminUser" "$adminPass")
if [[ -z "$adminCheck" ]] ; then
Log "Admin password is verified"
else
Log "Admin Password not working"
exit 1
fi
# If the machine is not bound to AD, then there's no purpose going any further.
if [ "${check4AD}" != "Active Directory" ]; then
DisplayDialog "This machine is not bound to Active Directory.\nPlease bind to AD first. "
exit 1
fi
## Check Filevault Status
fvStatus=$(fdesetup status)
if [[ "$fvStatus" == *"FileVault is On."* ]] ; then
Log "Verified Filevault Enabled"
else
jamf policy -trigger $enableFV2JamfTrigger -forceNoRecon
sleep 5
DisplayDialog "Filevault Not Yet Enabled. Please Restart the computer to enable Filevault and Try again."
exit 1
fi
## Prompt for Username
userToAdd=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Enter your User account Username:" default answer "" buttons {"Continue"} default button 1)
end tell
END
)
if [[ "$userToAdd" == "setup" ]] ; then
DisplayDialog "Please enter your Username, not the setup user. \nExiting. Install Phase2 again"
exit 1
fi
## Prompt for Password
userPass=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "Enter your User account Password:" default answer "" with hidden answer buttons {"Continue"} default button 1)
end tell
END
)
Log " "
Log "---------------------------------"
Log " Adding Account to AD"
Log "---------------------------------"
userCheck=$(dscl . list /Users | grep "$userToAdd")
if [[ -n "$userCheck" ]] ; then
Log "AD account $userToAdd is already on computer."
Log " "
fi
loopCount=0
while [ $loopCount -lt 3 ]; do
if [[ -z "$userCheck" ]] ; then
adCheck=`id $userToAdd`
Log "AD Check is: $adCheck"
Log "Blank means that the script may fail."
sleep 2
## hit AD create the user
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a "$adminUser" -U "$adminPass" -n "$userToAdd" #-p "$userPass"
sleep 2
else
Log "$userToAdd is already on this computer."
break
fi
## check to see if the user account was added
userCheck=$(dscl . list /Users | grep "$userToAdd")
if [[ -z "$userCheck" ]] ; then
((loopCount++))
else
break
fi
if [[ $loopCount == 2 ]] ; then
jamf policy -trigger $rebindJamfTrigger -forceNoRecon
sleep 5
fi
done
if [[ -z "$userCheck" ]] ; then
DisplayDialog "AD User failed to add. \nVerify VPN has a network Connected. \nRecommend restarting the computer and trying this install again. \nIf issues continue run 'Rebind to Domain' from Self Service and then try install again."
exit 1
fi
Log " "
Log "---------------------------------"
Log " Syncing Password from AD"
Log "---------------------------------"
loopCount=0
while [ $loopCount -lt 3 ]; do
Log " "
Log "Using Cache Util"
## this should query AD to cache the user including the password
dscacheutil -q user -a name "$userToAdd"
Log "Doing an AD Auth"
## this will auth the user to AD and should also cache their password locally
/usr/bin/dscl /Search -authonly "$userToAdd" "$userPass"
passCheck=$(/usr/bin/dscl /Local/Default -authonly "$userToAdd" "$userPass")
if [[ -z "$passCheck" ]]; then
Log "Password Authenticated Successfully!"
break
else
Log "Password Authorization failed"
((loopCount++))
fi
done
sleep 2
## this kills the menubar so that the fast user switching list refreshses
Log "Refreshing Menubar to update Fast User Switching"
killall -KILL SystemUIServer
## NOW that we've verified the user exists let's add the user to FileVault
Log "Removing User from Filevault"
fdesetup remove -user $userToAdd
# create the plist file:
echo '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Username</key>
<string>'$adminUser'</string>
<key>Password</key>
<string>'$adminPass'</string>
<key>AdditionalUsers</key>
<array>
<dict>
<key>Username</key>
<string>'$userToAdd'</string>
<key>Password</key>
<string>'$userPass'</string>
</dict>
</array>
</dict>
</plist>' > /tmp/fvenable.plist ### you can place this file anywhere just adjust the fdesetup line below
# now enable FileVault
Log "Re-adding User to Filevault"
fdesetup add -i < /tmp/fvenable.plist
rm -r /tmp/fvenable.plist
fdeList=`fdesetup list | grep $userToAdd`
if [[ "$fdeList" == *"$userToAdd"* ]] ; then
DisplayDialog "$userToAdd account created.\nPhase 2 of Provisioning is complete.\nPlease select 'setup' in the menu bar by the clock and login as yourself."
Log " "
Log " ---------------------------------------"
Log " "
Log " "
exit 0
## Checking password again!
elif [[ ! -z "$passCheck" ]] ; then
Log "Password Check Authorization failed"
DisplayDialog "Automated Password Check for $userToAdd failed. \nPlease select 'setup' in the menu bar by the clock and login as yourself. \nIf you are unable to login to your account run Phase 2 again."
Log " "
Log " ---------------------------------------"
Log " "
Log " "
exit 0
else
Log "Filevault add Failed"
DisplayDialog "Automated $userToAdd account Encryption Failed. \nPlease select 'setup' in the menu bar by the clock and login as yourself."
Log " "
Log " ---------------------------------------"
Log " "
Log " "
exit 0
fi