Mac Developer Library Developer
Search

 

This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.




dseditgroup(8)            BSD System Manager's Manual           dseditgroup(8)

NAME
     dseditgroup -- group record manipulation tool.

SYNOPSIS
     dseditgroup [options] [parameters] groupname

                 options:
                       -o operation   perform (read, create, delete, edit, checkmember) operation with given
                                      groupname
                       -p             prompt for authentication password
                       -q             disables interactive verification
                       -v             verbose logging to stdout

                 parameters:
                       -m member      username to use for checkmember option
                       -n nodename    directory node location of group record
                       -u username    authenticate with admin username
                       -P password    authentication password
                       -a recordname  name of the record to add
                       -d recordname  name of the record to delete
                       -t recordtype  type of the record to add or delete
                       -T grouptype   type of group to create or modify
                       -L             maintain ComputerLists in parallel with ComputerGroups
                       -i gid         gid to add/replace
                       -g guid        GUID to add/replace
                       -S sid         SID to add/replace
                       -r realname    realname to add/replace
                       -k keyword     keyword to add
                       -c comment     comment to add/replace
                       -s timetolive  seconds to live to add/replace
                       -f n | l       change the group's format - 'n' for the new group format and 'l' for
                                      the legacy group format

DESCRIPTION
     dseditgroup allows manipulation of a single named group record on either the default local node or the
     specified DirectoryService node. For the "read" operation the authentication search policy (/Search
     node) is consulted. Default behaviour is presented below after a discussion of each operation and the
     possible parameters.

     Options and their descriptions:

     -o operation
              If "read" then the parameters of the specified groupname will be displayed. This is the
              default option. The authentication search policy (/Search node) will be used.

              If "create" then create a group with the specified groupname on either the default local node
              or the specified DirectoryService node.

              If "delete" then delete a group with the specified groupname on either the default local node
              or the specified DirectoryService node.

              If "edit" then edit a group with the specified groupname on either the default local node or
              the specified DirectoryService node.

              If "checkmember" then check if the user specified with -m or current logged in user is a mem-ber member
              ber of the specified groupname. The authentication search policy (/Search node) is used to
              find the member. The specified node (defaults to the authentication search policy) is used to
              find the group. If the specified node is not on the authentication search policy the behaviour
              is undefined.

     -p       You will be prompted for a password to use in conjunction with the specified username.

     -q       This disables interactive verification of replace or delete operations.

     -v       This enables the logging of the DirectoryService API calls and their return codes.

     Parameters and their descriptions:

     -m member
              The username of the account to verify group membership when using -o checkmember

     -n nodename
              Directory Service node name such as /LDAPv3/ldap.company.com and whose default value is the
              local node. "." can also be used to specify the local node.

     -u username
              Username of a user that has administrative privileges on this computer.

     -P password
              Password to use in conjunction with the specified username.  If this is not specified, you
              will be prompted for a password.

     -a recordname
              The name of the record to be added to the group specified by groupname. This name is related
              to the first record found on the authentication search policy when a search is made with this
              recordname and the given recordtype.

     -d recordname
              The name of the record to be deleted from the group specified by groupname. This name is
              related to the first record found on the authentication search policy when a search is made
              with this recordname and the given recordtype.

     -t recordtype
              The type of the record to be added to or deleted from the group specified by groupname. Valid
              values are user, computer, group, or computergroup.

     -T grouptype
              The type of the group record to be created or modified as specified by groupname. Valid values
              are group or computergroup.

     -L       If used with computergroup will also maintain the computerlist if it exists or create it if a
              computergroup is created.

     -i gid   This is a group id. This will be automatically created if not specified for a create.

     -g guid  This is a text representation of an 128 bit id. This will be automatically created if not
              specified for a create.

     -r realname
              This is a simple text string.

     -k keyword
              This is a simple text string.

     -c comment
              This is a simple text string.

     -s timetolive
              The number of seconds that this record is deemed valid as a cached value. There will be no
              automatically created default value if not specified for a create.

DEFAULT BEHAVIOUR
     dseditgroup mygroup

     This simple version of the command will default to:

     dseditgroup -o read -n . -u $USER mygroup

     The output will be the parameters of the "mygroup" group record if the shell user has read access to
     the local node's group record of name "mygroup".

EXAMPLES
     dseditgroup extragroup

     dseditgroup -o read extragroup

                    The attributes of the group extragroup from the local node are displayed.

     dseditgroup -o create -n /LDAPv3/ldap.company.com -u myusername -P mypassword -r "Extra Group" -c "a
              nice comment" -s 36__ -k "some keyword" extragroup

                    The group extragroup is created from the node /LDAPv3/ldap.company.com with the
                    realname, comment, timetolive (instead of default of 14400 = 4 hours), and keyword
                    atttribute values given above if the user myusername has supplied a correct password and
                    has write access.

     dseditgroup -o delete -n /LDAPv3/ldap.company.com -u myusername -P mypassword extragroup

                    The group extragroup is deleted from the node /LDAPv3/ldap.company.com if the user
                    myusername has supplied a correct password and has write access.

     dseditgroup -o edit -n /LDAPv3/ldap.company.com -u myusername -p -a username -t user extragroup

                    The group extragroup from the node /LDAPv3/ldap.company.com will have the username added
                    if the username is in a user record on the search policy and if the correct password is
                    presented interactively for the user myusername which also need to have write access.

     dseditgroup -o edit -n /LDAPv3/ldap.company.com -u myusername -P -a mysubgroup -t group extragroup

                    The group extragroup from the node /LDAPv3/ldap.company.com will have the mysubgroup
                    added if the mysubgroup is in a group record on the search policy and if the user
                    myusername has supplied a correct password and has write access.

     dseditgroup -o edit -n /LDAPv3/ldap.company.com -u myusername -p -d username -t user extragroup

                    The group extragroup from the node /LDAPv3/ldap.company.com will have the username
                    deleted if the correct password is presented interactively for the user myusername which
                    also need to have write access.

     dseditgroup -o checkmember extragroup

                    Will write out a message specifying if the current user is a member of extragroup on the
                    authentication search policy.

     dseditgroup -o checkmember -n  . extragroup

                    Will write out a message specifying if the current user is a member of extragroup on the
                    local node.

     dseditgroup -n /LDAPv3/ldap.company.com -o checkmember -m user extragroup

                    Will write out a message specifying if user (found in /Search) is a member of extragroup
                    on the specified node /LDAPv3/ldap.company.com. The specified node
                    /LDAPv3/ldap.company.com needs to be on the authentication search policy for a valid
                    answer.

Mac OS                           March 01 2004                          Mac OS

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.

Feedback