Skip to main content
Question

Provide installation rights to domain admin user

  • February 6, 2015
  • 3 replies
  • 53 views
J
Forum|alt.badge.img+5

This is my first post and I'm new to Casper and binding to AD on OS X, so be gentle.

The goal: 1. Allow AD users to log in to Mac
2. Allow AD users to elevate to local Administrator privileges when needed
3. Prevent AD users from logging in and running as a local Administrator account

So in the end I want select users who have been given Admin rights to their machine, to be able to elevate to those rights when they need to perform Admin tasks, but to prohibit them from actually logging in and running as that admin user account.

Questions:
1. How can I do this on a Mac?
2. Is there a way to roll this out to deployed systems with Casper?

I know self service is an option to provide software, but some users need to make other admin changes at various times, so they have been awarded admin rights. We just want to force them to enter credentials any time they want to make an admin level change.

Thanks!

    3 replies

    RobertHammen
    Forum|alt.badge.img+29
    • RobertHammen
    • Esteemed Contributor
    • February 7, 2015

    Not sure there is an easy way to grant what you want. A local admin with a home directory of /var/empty?

    Why do you want users to be admins? You can alter what users are allowed to do:

    https://www.afp548.com/2013/10/22/modifying-the-os-x-mavericks-authorization-database/

    If the above is not suitable, why not a Self Service policy to make them temporary (i.e. 30 minutes) admins? There's a MakeMeAdmin script on this site which is incredibly useful.

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • February 7, 2015

    Two possible options are:

    • Use the 30minAdmin script that's knocking around jamfnation. It lets users become admins via a policy in self service and switches them back to standard after 30 mins
    • You could use the login window restrictions in a configuration profile, locking it down to domain users only. Then add a local admin account on the macs that the users know the details for. The profile would stop the user from actually logging in as that local admin user, but could authenticate to install software etc
    J
    Forum|alt.badge.img+5
    • johnpowell
    • Author
    • Contributor
    • February 16, 2015

    Thanks guys! I'll try out these solutions and let you know how it goes. Appreciate the help.

    Terms & ConditionsCookie settingsAccessibility statement