Skip to main content
Question

Admin rights

  • December 2, 2011
  • 13 replies
  • 60 views
ImAMacGuy
Forum|alt.badge.img+23

Currently we have a process where an end user submits their request for
admin rights on a mac and it gets approved or denied. From there the
committee sends me a note and I add them to our policy to grant admin
rights, where I add their machine name to the scope.

The trigger is every 15, and done Once per computer.

What I would like to know is if there is a way to set the admin based
off user name so the end user has admin if they sign on to another
machine or to re-apply if the machine gets reimaged. As it stands now,
if the machine gets reimaged I have to create a new policy to push the
rights to them, which is cumbersome at the least, but if it can be
reapplied somehow that would be great.

I did try setting up a self-service to do it, by in the same policy I
selected Allow this policy to be used for Self Service, but I can't get
it to display in SS to give the user the option of re-adding admin based
on their machine name.

Any ideas how to streamline this a bit better?

Ultimately, I'd like to get the process to follow our PC process where
at every login the machine passes the user id to a DB and depending on
the users status in the DB (Admin or not) it would grant / revoke as
needed, so I don't need to mess with the policy at all.

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris
<mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta
Ana

Mac Tip/Tricks/Self Service & Support
<http://bit.ly/gMa7TB>

"Any time you choose to be inflexible in your approach to an
unpredictable project you are already building failure into your plan"

    13 replies

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • December 2, 2011

    Are you using local accounts then?

    ImAMacGuy
    Forum|alt.badge.img+23
    • ImAMacGuy
    • Author
    • Esteemed Contributor
    • December 2, 2011

    Yes, we are using mobile accounts, I found out a little more, there is a VBScript that checks for all the local accounts on the machine, then passes that up to the afore mentioned URL/DB. The DB returns back a string that has basically approve / deny for every account that was passed. From there depending on the approve/deny for each user it either grants or revokes admin…

    So if the local machine sends domainuser1;domain2user2;domainuser3, the DB sends back a string that will say domainuser1=approve;domain2user2=deny;domainuser3=approve

    And from there the VBScript will grant / remove local admin rights.

    So my next question, since I know next to nothing about shell scripting and that is 10x more than I know about VBScript, how can I go about converting?

    I see that extension attributes will use VBScript, is that something I can plug the script in and somehow manipulate the results back to grant/revoke/do nothing for the admin rights?

    John Wojda

    Lead System Engineer, DEI & Mobility

    3333 Beverly Rd. B2-338B

    Hoffman Estates, IL 60179

    Phone: (847)286-7855

    Page: (224)532.3447

    Team Lead DEI: Matt Beiriger <mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

    Team Lead Mobility: Chris <mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta Ana

    Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

    “Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan”

    R
    Forum|alt.badge.img+12
    • rmanly
    • Contributor
    • December 2, 2011

    Why aren't the people just added to a Local Admin group in your Directory
    Service?

    Ryan M. Manly
    Glenbrook High Schools

    P
    Forum|alt.badge.img+5
    • pbachuwa
    • Contributor
    • December 2, 2011

    Because that will give them access to everyone's mac as admin.

    Patrick Bachuwa
    Desktop Engineering Applications Sears Holdings Corporation
    Michigan Campus
    3000 W. 14 Mile Road
    Royal Oak, MI 48073-1717
    Phone: 248 637-0350

    R
    Forum|alt.badge.img+12
    • rmanly
    • Contributor
    • December 2, 2011

    Details details...

    ;)

    Ryan M. Manly
    Glenbrook High Schools

    R
    Forum|alt.badge.img+12
    • rmanly
    • Contributor
    • December 2, 2011

    Too much coffee...or not enough?

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • December 2, 2011

    OK, I have a question then since I do not use AD here I am not sure how
    dscl will read AD attributes.

    Could you set up, say a specific group in AD of AD users that get local
    admin? Then check to see if that user is in fact a member of that
    specific AD group? Then scope out policy based on scripts for that
    particular set of data? Then deploy it via Casper and it should work on
    every machine that specific user logs into.

    Like for example, if you simply do this?

    dscl . read /Users/someuseraccount

    Does it display all the AD groups this user is in?

    -Tom

    ImAMacGuy
    Forum|alt.badge.img+23
    • ImAMacGuy
    • Author
    • Esteemed Contributor
    • December 2, 2011

    This system is actually a separate system all together and not tied into AD. The company has so much silod that it would be a nightmare every time we had to engage the AD team to add someone.

    That being said, the dscl command returned, what looks like encrypted data for cached_groups

    John Wojda

    Lead System Engineer, DEI & Mobility

    3333 Beverly Rd. B2-338B

    Hoffman Estates, IL 60179

    Phone: (847)286-7855

    Page: (224)532.3447

    Team Lead DEI: Matt Beiriger <mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

    Team Lead Mobility: Chris <mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta Ana

    Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

    “Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan”

    R
    Forum|alt.badge.img+13
    • rockpapergoat
    • Contributor
    • December 2, 2011

    i did something similar awhile back.

    admin access was assigned to "deputy" accounts in AD based on a given machine's membership in the correct OU.

    so let's say for account "bob" on a machine in the correct "special_admin" OU, this script will create a mobile admin account for "admin_bob" or any others that are required. Any added account names are written to a file under /Library/Receipts, so the changes can be reverted if needed, even if the machine can't contact AD.

    https://github.com/rockpapergoat/scripts/blob/master/accountmanagement/deputize.rb

    it's not my best work, but maybe you can get some ideas from this.

    R
    Forum|alt.badge.img+12
    • rmanly
    • Contributor
    • December 2, 2011

    The solution is much simpler.

    In the Administrative Tab of Directory Utility you simply set "Allow
    Administration by:"

    then in my experience that doesn't work unless you also set in the Mappings
    tab "Map group GID to attribute:" gidNumber. There is some RFC for
    extending the schema for UNIX info that this falls under.

    Then gidNumber needs to be set in the Attribute editor of ADUC. I set ours
    to 31337 for eveyone in the IT group. ;)

    But as stated above that makes them an admin on every box bound to AD via
    Casper with these settings in place.

    dscl can check the group membership in AD with this command.

    dscl "/Active Directory/All Domains" read /Users/rmanly memberOf

    The interesting thing is the response from the id command when the "Map
    group GID..." setting is turned on and off. When it IS mapped that is the
    only group from AD that the user is a member of. All of the rest are the
    standard *NIX group memberships. When the GID number is NOT mapped ALL of
    the AD group memberships are listed.

    This is not an issue though because I don't care about any of those Windows
    groups (except IT staff) in Mac OS.

    Ryan M. Manly
    Glenbrook High Schools

    R
    Forum|alt.badge.img+12
    • rmanly
    • Contributor
    • December 2, 2011

    btw that previous post was just an FYI for Larkin.

    When you do get this figured out I would like to see the details because we
    have many users that are admins on only "their" laptop as well. Currently I
    have my guys run an Automator applet on the local admin users desktop and
    punch in the User's network account name which adds them to the admin group.

    It would be nice to do some sort of automated setup as the Machine name
    includes a portion of the username anyway...seems like a lot of up front
    work, though it would be cool to automate it all.

    Ryan M. Manly
    Glenbrook High Schools

    S
    Forum|alt.badge.img+12
    • sean
    • Contributor
    • December 2, 2011

    Can I assume you are talking about Lion? We had no problems using the AD plugin on 10.6.x and having all mapped groups work. We did see something similar to what you describe with Lion. However, we have Quest VAS available for use and their latest version of the plugin appears to work as expected on Lion, fixing Apple's AD problem. I imagine that the other 3rd party plugins out there also fix Apple's broken AD plugin problem.

    Sean

    R
    Forum|alt.badge.img+12
    • rmanly
    • Contributor
    • December 6, 2011

    It is 10.6.x but the IT staff group is the only one with a value set in AD.
    ;)

    Ryan M. Manly
    Glenbrook High Schools

    --missing content--

    ant admin rights, where I add their machine name to the scope.<br>

    <br>
    <br>
    The trigger is every 15, and done Once per computer.<br>
    <br>
    <br>
    What I would like to know is if there is a way to set the admin based off u
    ser name so the end user has admin if they sign on to another machine or to re-apply if the machine gets reimaged. As it stands now, if the machine ge
    ts reimaged I have to create a new policy to push the rights to them, which is cumbersome at the least, but if it can be reapplied somehow that would be great.<br>

    <br>
    <br>
    I did try setting up a self-service to do it, by in the same policy I selec
    ted Allow this policy to be used for Self Service, but I can=92t get it to display in SS to give the user the option of re-adding admin based on their machine name.<br>

    <br>
    <br>
    Any ideas how to streamline this a bit better?<br>
    <br>
    <br>
    Ultimately, I=92d like to get the process to follow our PC process where at every login the machine passes the user id to a DB and depending on the us
    ers status in the DB (Admin or not) it would grant / revoke as needed, so I don=92t need to mess with the policy at all.<br>

    <br>
    <br>
    <br>
    John Wojda<br>
    <br>
    Lead System Engineer, DEI &amp; Mobility<br>
    <br>
    3333 Beverly Rd. B2-338B<br>
    <br>
    Hoffman Estates, IL 60179<br>
    <br>
    Phone: <a href"tel:%28847%29286-7855" value"+18472867855">(847)286-78
    55</a><br>
    <br>
    Page: <a href"tel:%28224%29532.3447" value"+12245323447">(224)532.344
    7</a><br>
    <br>
    Team Lead DEI: Matt Beiriger<br>
    <br>
    Team Lead Mobility: Chris Sta Ana<br>
    <br>
    Mac Tip/Tricks/Self Service &amp; Support<br>
    <br>
    <br>
    =93Any time you choose to be inflexible in your approach to an unpredictabl
    e project you are already building failure into your plan=94<br>
    <br>
    <br>
    <br>

    Terms & ConditionsCookie settingsAccessibility statement