My blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
http://www.macadmincorner.com
and update your bookmarks.

Tuesday, July 3, 2007

How to add an AD user as a local admin


We all know the obvious way to allow a given group(s) to be an admin of a Mac bound to Active Directory (see image below).

Although the “Allow administration by group” setting in Directory Access allows users in that group to install
software and perform certain other admin functions, there is a bug (or feature?) in Tiger that does not allow those nested group users to use sudo or unlock secure System Preferences. As far as I can tell, this is a problem with how the Mac handles nested groups. If you, or another user needs to truly be an admin, the account(s) needs to be added to the admin group.

Type in the following as root:
dscl . –append /Groups/admin users username1 username2 username3

This command can be sent to your clients over ARD (replace append with delete if you want to revoke admin access).

You can use this command to confirm who is an admin:
dscl . -read /Groups/admin users
If you have tech staff that doesn't like the CLI, here is an applescript that can be used. This will get a list of users that have logged in already by listing the home folders (will not work with network home folders without modification). Copy this into Script Editor and save it as an application:

set userList to paragraphs of (do shell script "ls -1d /Users/* | cut -d/ -f3 | grep -v Shared")

set userName to choose from list userList

do shell script "dscl . -append /Groups/admin users " & userName with administrator privileges

display dialog userName & " is now an admin of this computer"
If you would rather be able to type the users instead of selecting them from a list:

set userList to text returned of (display dialog "Enter the user name(s) you would like to be admin(s)" default answer "")

if userList is not equal to false then
do shell script "dscl . -append /Groups/admin users " & userList with administrator privileges

else if userName is equal to false then display dialog "Operation cancelled"
end if

display dialog userList & " is now an admin of this computer"

NOTE: These applescripts will not work over ARD, nor are they necessary since sending the single commands above are much easier.
digg story

3 comments:

BJ said...

Pat, I've found that in Leopard at least, I have to issue this command using sudo.

Is there a similar operation using dseditgroup?

Patrick Gallagher said...

Yes, the dscl command by itself does require sudo if you're not root already. Any administrative command does. The applescripts do not require it because the "with administrative privileges" takes care of that.

dseditgroup –o edit –a ADgroup –t group –n . admin

Matt said...

I can't thank you enough for this little tidbit. I knew there had to be way.

Tuesday, July 3, 2007

How to add an AD user as a local admin


We all know the obvious way to allow a given group(s) to be an admin of a Mac bound to Active Directory (see image below).

Although the “Allow administration by group” setting in Directory Access allows users in that group to install
software and perform certain other admin functions, there is a bug (or feature?) in Tiger that does not allow those nested group users to use sudo or unlock secure System Preferences. As far as I can tell, this is a problem with how the Mac handles nested groups. If you, or another user needs to truly be an admin, the account(s) needs to be added to the admin group.

Type in the following as root:
dscl . –append /Groups/admin users username1 username2 username3

This command can be sent to your clients over ARD (replace append with delete if you want to revoke admin access).

You can use this command to confirm who is an admin:
dscl . -read /Groups/admin users
If you have tech staff that doesn't like the CLI, here is an applescript that can be used. This will get a list of users that have logged in already by listing the home folders (will not work with network home folders without modification). Copy this into Script Editor and save it as an application:

set userList to paragraphs of (do shell script "ls -1d /Users/* | cut -d/ -f3 | grep -v Shared")

set userName to choose from list userList

do shell script "dscl . -append /Groups/admin users " & userName with administrator privileges

display dialog userName & " is now an admin of this computer"
If you would rather be able to type the users instead of selecting them from a list:

set userList to text returned of (display dialog "Enter the user name(s) you would like to be admin(s)" default answer "")

if userList is not equal to false then
do shell script "dscl . -append /Groups/admin users " & userList with administrator privileges

else if userName is equal to false then display dialog "Operation cancelled"
end if

display dialog userList & " is now an admin of this computer"

NOTE: These applescripts will not work over ARD, nor are they necessary since sending the single commands above are much easier.
digg story

3 comments:

BJ said...

Pat, I've found that in Leopard at least, I have to issue this command using sudo.

Is there a similar operation using dseditgroup?

Patrick Gallagher said...

Yes, the dscl command by itself does require sudo if you're not root already. Any administrative command does. The applescripts do not require it because the "with administrative privileges" takes care of that.

dseditgroup –o edit –a ADgroup –t group –n . admin

Matt said...

I can't thank you enough for this little tidbit. I knew there had to be way.

Tuesday, July 3, 2007

How to add an AD user as a local admin


We all know the obvious way to allow a given group(s) to be an admin of a Mac bound to Active Directory (see image below).

Although the “Allow administration by group” setting in Directory Access allows users in that group to install
software and perform certain other admin functions, there is a bug (or feature?) in Tiger that does not allow those nested group users to use sudo or unlock secure System Preferences. As far as I can tell, this is a problem with how the Mac handles nested groups. If you, or another user needs to truly be an admin, the account(s) needs to be added to the admin group.

Type in the following as root:
dscl . –append /Groups/admin users username1 username2 username3

This command can be sent to your clients over ARD (replace append with delete if you want to revoke admin access).

You can use this command to confirm who is an admin:
dscl . -read /Groups/admin users
If you have tech staff that doesn't like the CLI, here is an applescript that can be used. This will get a list of users that have logged in already by listing the home folders (will not work with network home folders without modification). Copy this into Script Editor and save it as an application:

set userList to paragraphs of (do shell script "ls -1d /Users/* | cut -d/ -f3 | grep -v Shared")

set userName to choose from list userList

do shell script "dscl . -append /Groups/admin users " & userName with administrator privileges

display dialog userName & " is now an admin of this computer"
If you would rather be able to type the users instead of selecting them from a list:

set userList to text returned of (display dialog "Enter the user name(s) you would like to be admin(s)" default answer "")

if userList is not equal to false then
do shell script "dscl . -append /Groups/admin users " & userList with administrator privileges

else if userName is equal to false then display dialog "Operation cancelled"
end if

display dialog userList & " is now an admin of this computer"

NOTE: These applescripts will not work over ARD, nor are they necessary since sending the single commands above are much easier.
digg story

3 comments:

BJ said...

Pat, I've found that in Leopard at least, I have to issue this command using sudo.

Is there a similar operation using dseditgroup?

Patrick Gallagher said...

Yes, the dscl command by itself does require sudo if you're not root already. Any administrative command does. The applescripts do not require it because the "with administrative privileges" takes care of that.

dseditgroup –o edit –a ADgroup –t group –n . admin

Matt said...

I can't thank you enough for this little tidbit. I knew there had to be way.