I'd like to be able to have the admin rights expire for the users 1yr after being assigned in the policy, is there a way to do that? probably something that detects the date they were assigned, then a deamon that gets created and counts down or looks for a specific date 1yr from that time?
Question
remove admin rights after date?
+23
+24Are you talking about local accounts or AD/LDAP accounts? One year is a long way out, but it's possible to have a LaunchDaemon created with a specific CalendarStartInteveral setting set for one year out from a specific time.
I can't write up anything more succinct than the above at the moment, but when I have a chance, I will post back with some more details on what may work.
Also check out the session presented at JNUC 2013
Getting Users to Do Your Job (Without Them Knowing It) by @Andrina
+23why a year... I have no idea, that's what the PC side has w/ over 70k machines, so they want the mac's to do the same.
the self service method got shot down because then there wouldn't be any governance over who got or didn't get them.
+15I don't think you're looking at it from the right angle.
You'd scope it to the person you're giving admin rights to, not make it available for everyone.
+23technically, we are granting admin to all local accounts per machine, how would that change to give to specific account per machine?
and we'd still have the max of 1yr issue I guess, but maybe that would be a moot point. I submitted the question to the interested parties...
If you're granting admin to all local users on the machine, add the staff group to the admin group in OS X. That should automatically grant all the local users admin rights on a machine, but not include AD users.
That said, If you're granting admin to all local users anyway; where does the governance angle come in?
+23@rtrouton we don't actually want allusers to have admin on the box, it was just how the script ran. We'd much prefer just the requested user.
+13How does this user actually request admin rights? Let's assume there's some process that lands them in an AD group; you could create a policy scoped to this group, triggered by whatever makes sense to you (check-in, all, whatever). It would run a modified version of the "temporary admin" script referenced above, which would add the user to the admin group, and then create a launchdaemon with the current date +1 year CalendarStartInterval which removes the admin rights.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.