Admin Rights through AD Group

okay , not sure if this interests anyone but I have a way to stamp admin.

I have written an ongoing script, that gets the computers group membership, then gets the corresponding AD user group (we link these 2 groups through a local admins text file on our casper share).

The user groups membership is queried, and then admin is stamped for the users who are meant to have admin (added to the local admin). There is lots of error checking in there as well. Initial testing seems good.

The only thing we've added into this group is a caching of this membership onto the local system in the form of flags to stop the macs (we have 3000 of them) from overloading the directory servers. This cache is cleared on a regular basis via policy.

If anyone else is having issues with admin rights dropping on AD groups off network I can share my script(s)/workflow with you. Just drop me a message or reply to this thread :)

This is by design. OS X has to be within sight of a Domain Controller to obey that setting. There's lots of scripts here to hard-code admin rights.

Yea quickly realised that. Alot of the admin scripts here didn't fit with our workflow though and required me to do something a bit different

FWIW we quite often just tick the "Allow user to administer this computer" checkbox which adds them to the local admin group. Just means its a manual step which might not be desirable.

We've also gone down the route of setting the JSS allocated user as admin via an API script which worked ok.

Easy fella, how's you? Does this work with el crapitan?

Hello Mr.Straker,

I believe it is - the problem we had at UAL is we grant admin access through AD security groups, then add them to the local admin group.

We didn't really want to go round and start manually ticking 'allow this user to administer this machine' as it renders the groups useless, and also if we decide at a later date that a user in a group no longer requires admin they have been hardcoded admin through the GUI.

Basically what my script does is that ticking automatically based on whether or not that user has group membership. It also works the other way where it will revoke admin and do the 'untick'.

Can share it with you if you want or anyone that is interested. The only problem is that this Stamp admin script works with our current workflow for assigning admin via a text file on a file share.

I see you have been busy with all your certs!!! Are you Numero Uno there now Casper wise?? We have a meeting with JAMF here yesterday and it looks like we are going to implement is so I will be picking your brains a lot, will your AD script work outside of Casper? Can I get a copy to look over?

Yea the script will work outside of Casper. I can send it over to you if you want , along with forcing admin rights.

It depends how you want to assign admin though, single user to single machine or group based? You got my e-mail right?

@jamesdurler maybe this will help?

Hi James, never got your email, which address did you send it to?

Hi adam,

Drop me a line to j.durler@arts.ac.uk and i'll forward you the scripts

cheers