Is there a way for me to make a certain AD user an admin on a mac cart of 30 macbook air's?
Question
AD user admin rights
+10
+9In the directory bindings, under the Administration tab you can set a group or groups in the "Allow administration by" field to an AD security group that the user belongs to.
If you want it to be just that cart, create a separate binding for that cart specifically.
+28Yes, in your AD binding prefs (must apply to all of the Macs in the cart), you can specify AD groups that are automatically admins on a machine.
Directory Utility->Active Directory->Administrative tab, checkbox for "Allow Administration by:" - click the + and add each AD group (must spell the group name correctly ;-)
If you do this via the JSS AD bind, it's very similar, except you get a text field and must type the groups, separated by commas. Be aware not to leave a space between the comma delimiting group names and the next name, or else those groups won't be admins (learned this the hard way once a long time ago ;-)
Hope this helps,
--Robert
+14I use the following script to add AD groups as admins to an existing binding. To use it you would enter the security group name in the $4 parameter.
#!/bin/bash
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="yourdomain\\$4"
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "$LOGHEADER $SCRIPTNAME result: Admin Groups configured successfully." >> /var/log/yourfile.log
exit 0
else
echo "$LOGHEADER $SCRIPTNAME result: Unable to set admin groups." >> /var/log/yourfile.log
exit 1
fiscript to unbind, and a policy to rebind using the new AD binding settings.
https://derflounder.wordpress.com/2013/10/09/force-unbinding-with-dsconfigad-without-using-an-active-directory-admin-account/
Be aware that this won't remove the Computer Object from AD, but that shouldn't be a big deal in this situation.
+35@EliasG, We did what @Josh.Smith recommended a while ago across our client estate.
We then added that group to our binding, & when building Mac servers via Casper we then added a step to remove the same group.
No need to unbind then rebind.
+4I use the following script to add AD groups as admins to an existing binding. To use it you would enter the security group name in the $4 parameter.
#!/bin/bash
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="yourdomain\\$4"
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "$LOGHEADER $SCRIPTNAME result: Admin Groups configured successfully." >> /var/log/yourfile.log
exit 0
else
echo "$LOGHEADER $SCRIPTNAME result: Unable to set admin groups." >> /var/log/yourfile.log
exit 1
fiThis worked beautifully - thanks for sharing!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.