AD group as local administrators 10.6.8

I am running Casper 8.1 and I have set up a binding policy in the management section of the JSS to join the systems to our AD. I have been trying to find a script that can be ran after the joining to add a group from the AD into the "Allow administration by" section of the binding in the Directory utility and then enable it as part of the policy. Needless to say I haven't been able to make it work. Any thoughts would be appreciated.

Steve Barbee
Network Specialist
Parkland College - D263
2400 W. Bradley Avenue
Champaign, IL 61821
217.351.2888 Phone
217.353.2241 Fax
sbarbee at parkland.edu

Page 1 / 1

I'm not following. Why aren't you adding the group to the binding in the
On 7/25/11 4:49 PM, "Steve Barbee" <SBarbee at parkland.edu> wrote:
first place?

You can have multiple bindings configured in the JSS and apply whichever
you need to a machine.

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

Hello,

So I use scripts to add additional groups to bindings after the main binding is done, I'd rather have less people with admin by default if something went wrong. Hopefully this was what you were looking for.

Keep in mind two things about groups in AD bindings that are admin:

Users in the AD admin groups in the binding only have admin when they can talk to AD. If they are off network no admin. This is different from adding a single AD user to the admins groups locally or by checking the administer box in Settings for a user. When you alter the GROUPs from AD with this script, it doesn't append, you need to have ALL of the desired groups in the command, delimited by commas, including those that already existed in your original binding.

This worked in 10.5 and 10.6. Haven't tested 10.7. The sleep was to make up for slower computers and the network was up at boot yet (used at reboots for me sometimes).

#!/bin/sh

######################################################
## This script will add the following group later to AD bindings.
## Created Wednesday, January 9, 2008 - ERNSTCS
######################################################

sleep 90

/usr/sbin/dsconfigad -groups "LAB.BITS.ADMINS,LAB.ADMINS"

A quick word of advice here.. If you add an AD group into the "Allow Administration By" section of the AD Plugin and the machine is a laptop. Your users will log in when off site and loose admin permission.

If you want users to be added into the local Admin group i.e. Tick the box inside the accounts pane of System Prefs to allow the user to administer the machine I suggest the following.

dscl -f "/var/db/dslocal/nodes/Default" localonly -append /Local/Target/Groups/admin GroupMembership ${3}

Obviously this is a command out of a bigger script I created for Adding an AD user as an Admin but the ${3} is the user name passed by Casper from a login policy.

Another word of caution...
If you add a user to the local admin group and then delete the user. There is a stub left in this group pointing to a non existent user.. this stub then get the UID of another user. Try using the above command on an AD user then deleting it out of System Prefs. The following command will list your local Admin members

dscl -f "/var/db/dslocal/nodes/Default" localonly -read /Local/Target/Groups/admin GroupMembership | awk -F ": " '{print $NF}'

Tomos

I was able to add the different groups in the JSS using different bindings. Did not think I could do that. Thanks for your help.

Steve Barbee
Network Specialist
Parkland College - D263
2400 W. Bradley Avenue
Champaign, IL 61821
217.351.2888 Phone
217.353.2241 Fax

We are still fairly new to JAMF and are now experiencing this issue. We have 13-inch MacBook Pros that are binded to AD to be local administrators on the machine. When connected wirelessly to our network in the district, they are administrators on the machine. When we turn wireless off, after a few seconds and perhaps relaunching Sys Pref - Users & Groups - the checkbox to Allow the User to administer this machine is unchecked.

Looks like this thread is about a year old - have there been any easy fixes developed since then? We are not familiar with scripting yet, but if we have to then I suppose we'll have to learn it sooner or later.

@David, its not a requirement to know any scripting to use the Casper Suite, but knowing some will certainly make your life easier as you get more involved with the product. So my recommendation would be to start looking through some basic shell scripting tutorials as a start. There are plenty out there on the interwebs.

As for the local admin/domain admin issue, the "fix" really depends on how comfortable you are with giving your users local admin rights that aren't managed by your domain controller. In essence, you can hardcode users into the Mac's local admin group which will allow them admin rights regardless if they are connected to your network or not. The one caveat to this, i believe, is that you won't later be able to control their admin privileges on their Mac from the AD side. You'd have to basically 'script' them out of the local admin group. But that may not even be a concern for you; I don't know.

Here's another thread that discusses this issue a bit more. There are likely others here as well with some good information. I'll update my post if I find any others-

https://jamfnation.jamfsoftware.com/discussion.html?id=4054

Oh, and welcome to JAMFNation!

We are still fairly new to JAMF and are now experiencing this issue. We have 13-inch MacBook Pros that are binded to AD to be local administrators on the machine. When connected wirelessly to our network in the district, they are administrators on the machine. When we turn wireless off, after a few seconds and perhaps relaunching Sys Pref - Users & Groups - the checkbox to Allow the User to administer this machine is unchecked. Looks like this thread is about a year old - have there been any easy fixes developed since then? We are not familiar with scripting yet, but if we have to then I suppose we'll have to learn it sooner or later.

Hey David,

First and foremost welcome to JAMF Nation and being a Casper Administrator. Glad to see some new people aboard! To address your concern about scripting it is definitely not required with the Casper suite. A lot of what you want to do can be accomplished with in the suite itself. Scripting just offers some leverage on things that may be outside the product scope, or maybe something esoteric to your environment. There have been many posts about promoting local AD accounts to the admin group, I have posted many scripts on this in the past before I ever even worked at JAMF.

This is a link to one of the scripts. It does required you bind your Macs in a way where it creates mobile accounts upon login. It could be altered to not use the mobile account, but if you want it to work offline you need to use mobile accounts. Scroll down until you find my post.

https://jamfnation.jamfsoftware.com/discussion.html?id=4701

I hope this helps you.

Thanks and have a great weekend,
Tom

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded