Is there a way for me to make a certain AD user an admin on a mac cart of 30 macbook air's?
Page 1 / 1
In the directory bindings, under the Administration tab you can set a group or groups in the "Allow administration by" field to an AD security group that the user belongs to.
If you want it to be just that cart, create a separate binding for that cart specifically.
Yes, in your AD binding prefs (must apply to all of the Macs in the cart), you can specify AD groups that are automatically admins on a machine.
Directory Utility->Active Directory->Administrative tab, checkbox for "Allow Administration by:" - click the + and add each AD group (must spell the group name correctly ;-)
If you do this via the JSS AD bind, it's very similar, except you get a text field and must type the groups, separated by commas. Be aware not to leave a space between the comma delimiting group names and the next name, or else those groups won't be admins (learned this the hard way once a long time ago ;-)
Hope this helps,
--Robert
What if the cart has already been binded and enrolled in our systems...
I use the following script to add AD groups as admins to an existing binding. To use it you would enter the security group name in the $4 parameter.
#!/bin/bash
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="yourdomain\\$4"
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "$LOGHEADER $SCRIPTNAME result: Admin Groups configured successfully." >> /var/log/yourfile.log
exit 0
else
echo "$LOGHEADER $SCRIPTNAME result: Unable to set admin groups." >> /var/log/yourfile.log
exit 1
fiscript to unbind, and a policy to rebind using the new AD binding settings.
https://derflounder.wordpress.com/2013/10/09/force-unbinding-with-dsconfigad-without-using-an-active-directory-admin-account/
Be aware that this won't remove the Computer Object from AD, but that shouldn't be a big deal in this situation.
@EliasG, We did what @Josh.Smith recommended a while ago across our client estate.
We then added that group to our binding, & when building Mac servers via Casper we then added a step to remove the same group.
No need to unbind then rebind.
I use the following script to add AD groups as admins to an existing binding. To use it you would enter the security group name in the $4 parameter.
#!/bin/bash
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="yourdomain\\$4"
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "$LOGHEADER $SCRIPTNAME result: Admin Groups configured successfully." >> /var/log/yourfile.log
exit 0
else
echo "$LOGHEADER $SCRIPTNAME result: Unable to set admin groups." >> /var/log/yourfile.log
exit 1
fiThis worked beautifully - thanks for sharing!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.