+9Does anyone know why our users lose admin right when they're not on our internal network? We're using cached AD accounts. The AD plugin specifies which AD groups have administrative rights. Shouldn't it cache the admin rights?
Jamie Bell
Apple Technology Administrator
The Westminster Schools
Ph: 404-609-6345
+16I may have spoken too soon. The script may be working too well. For testing purposes I've deleted my AD account from the computer and removed the OU that account is in from Directory Utility under "Allow administration by." Even though the OU my account is in is not in that list, the script appears to be granting my account administrator privileges regardless.
Am I reading the script wrong? Originally I thought the line:
if [ ! "$3" = "admin" ] && [ ! "$3" = "root" ]
is stating if $3 (cstout) has administrator privileges, then add to the local admin group.
If that is incorrect, is it querying to see if $3 is the actual user "admin" or "root"?
+9That bit is just to check if it's the actual username that is being logged in. I have a default admin account on each Mac, and I enable root as well. There's no point running this script for these two logins, so I skip it if one of these accounts logs in.
Due to the (admittedly crappy political stuff) setup I have, everyone gets admin rights regardless of whether "Allow administration by" is set or not. It's just a quick and hacky script to get the job done. You might want to look at Matt's script above, as it seems to take your scenario into consideration.
+16Matt's script appears to be exactly what I need. I am unsure if a declared variable needs to be customized for my environment, but the script is reporting properly back to the JSS. The script is running without error, but is showing that my AD account "is not a Network Admin" when System Preferences is accurately showing that my AD admin rights have been applied to my user. The script appears to not be properly verifying AD group membership and is defaulting to "User is not a Network Admin."
Any ideas?
Edit: I ended up modifying Matt's script with a different membership lookup. I couldn't figure out why Matt's script in my environment would not turn out any results, but if I had to guess it would be the way our AD was set up is far from simple. My modified script is at: https://jamfnation.jamfsoftware.com/discussion.html?id=7427
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.