Making a single AD user into a local admin

NM...misread post...sorry

To solve this problem I made a little Automator app with two actions.

1. Ask for Text
   What NETWORK ACCOUNT should I promote to administrator?
   Checked Require an answer

2. Run Shell Script
   dseditgroup -o edit -n /Local/Default -u admin_dist -P "yourpasshere" -a $1 -t user admin

Then I packaged that up and put it on the Desktop of the Local Admin.

After imaging the tech will login and run it. We can do this right away as our naming convention includes a portion of the staff member's name. But it could also be done at checkout/pick-up.

I haven't thought of GOOD way to automate this further for various reasons.

EDIT: now that we have figured out how to get Applescript to pop open windows from Self Service I could go back and make it work from there I suppose...

Check out the script at the bottom of this post: https://jamfnation.jamfsoftware.com/discussion.html?id=2337

That's currently what i'm playing with. I include that script in a Configuration that is used to re-image machines. You add the username you want to be admin in parameter 4 and it adds it in at reboot.

For anything Post-Image, I have a script (I believe modified from the one mentioned above) that will Add an acct entered in Parameter 4 and Remove an acct if you enter it in Parameter 5.

this is a script that was posted by Tomas Tyler in the old mailing list. I have used this at many sites to make the first domain user who logs on to the machine a admin only. Works on lion and Snow leopard

#!/bin/bash
# v 3.2
###################################################
# Tomos Tyler
# 2011 Red Wine Ink.
# No Warranty or acceptance of responsibility if used
# 
# Can be used and distributed as long as these notes remain
#
################# Description #####################
#
# Some sites require a user to be an admin.
# However when using Windows Active Directory to authenticate
# using the Ad Plugin to set administration priviliges
# only gives a user admin rights while onsite.
# The following script adds a user to the administration group.
#
# Be Careful with this, if an admin user is removed from a computer
# a stub is left in the admin group referring to a user who does
# not exist. This will have to be fixed manually via dscl
#
#################### Notes ########################
#
# ${3}: The user's short name, when used with Casper
#
# If you have multiple Admin Users on your computer
# ensure you alter these below
# 
# Designed to be used by Casper as a login policy
###################################################
unset IFS
SAVEDIFS=$IFS
IFS=$' '
if [ -z ${3} ]; then
exit
else

    # Populate an array with the users in the current admin group

    adminGroup=( `dscl -f "/var/db/dslocal/nodes/Default" localonly -read /Local/Target/Groups/admin GroupMembership | awk -F ": " '{print $NF}'` )
   ADUserFound="0"

    # Cycle through the users and check their UniqueID

   for i in ${adminGroup[@]}; do
        #echo ${i}
        if [ ${i} = ${3} ]; then 
            echo "User ${3} is already an admin..."
            ADUserFound="1"
        fi
   done

   # Alter the following to the users to be excluded from processing

    if [ ${ADUserFound} = "0" ]; then
        if [ ${3} == "root" ]; then exit; fi
        if [ ${3} == "ladmin" ]; then exit; fi
        if [ ${3} == "cadmin" ]; then exit; fi
        if [ ${3} == "_cadmin" ]; then exit; fi
        if [ ${3} == "adobeinstall" ]; then exit; fi
    else
        echo "User ${3} is already an Admin or should not be processed."
        exit
    fi

 echo "User ${3} is not an admin proceeding..."

    for RecordName in "${adminGroup[@]}" ; do
        if [ ${ADUserFound} -eq "1" ]; then
            exit
        else
            IFS=": "
           UniqueID=( `dscl -f "/var/db/dslocal/nodes/Default" localonly -read /Local/Target/Users/${RecordName} UniqueID | awk '{print $2}'` )

# Simply exit the script if there is a UniqueID greater than 9999, this should be an AD user, hence a user has had admin rights granted

           if [[ ${UniqueID} -gt 9999 ]] ; then
               ADUserFound="1"
               echo "An AD User is already in the Admin Group!"
              exit
           fi
        fi
    done

    # If we get to this stage we can just simply add the user currently logging in, to the admin group
   dscl -f "/var/db/dslocal/nodes/Default" localonly -append /Local/Target/Groups/admin GroupMembership ${3}
    echo "Just added the user ${3} to the Admin Group"

    #
    # An option to call another process or login item for further configurations via launchD or more login hooks
    # touch /Users/${3}/Documents/Microsoft User Data/.SetupISBMail
fi
exit 0

Awesome Script, however I am having issues implementation it? Do I put this script in the image process or policies?

We just add the assigned user to the Managed By tab of the workstation object. This makes them admin of their machine only.

Where might that object be? Is it under management, settings or inventory?

Sorry,
That would be in AD in the Workstation container. Our technicians have read/write permissions to certain WS containers for staff machines. The other benefit is I know who the machine belongs to when I"m looking at the object for whatever reason.

What I'm doing is creating a policy that is scoped to the assigned user and is available in Self Service. That way they can do it once on the network and once at home under their mobile account if they need admin rights.

This is the script in the policy, I got most of it from another thread a while back:

#!/bin/bash

loggedInUser=$( ls -l /dev/console | awk '{ print $3 }' )
evaluate=$( /usr/sbin/dseditgroup -o checkmember -m $loggedInUser admin )

echo $evaluate

case $evaluate in
    *yes* ) echo User is already an admin on this mac;;
    *no* ) /usr/sbin/dseditgroup -o edit -a $loggedInUser -t user admin;;
    * ) echo Something went wrong;;
esac