Jamf Nation Community

lehmanp00 · ‎08-27-2012

We use AD to authenticate our users for login. The users should be made local admins during the account creation (when they 1st login to the Mac). In the district this works fine. When the user gets a admin prompt they can user their username. However, I'm hearing that when they go home, this isn't working. Does the Mac authenticate to AD each time?

ernstcs · ‎08-27-2012

A lot of us would say don't make them an admin! Or at least don't automatically make everyone an admin on every computer. =D

What's been stated is correct. You likely added an AD group to your AD binding 'Allow administration by' that includes all of these users. When AD is unavailable administration from these groups is not available. As suggested users could connect via VPN so they can have the machine talk back to AD if that's an option.

If you want the particular user to have admin, on or off the network, you would need to do what Todd suggests. You could make this an option for the user to run on their own through a Self Service policy. If you're allowing any of them to do it, why not.

I'd say test this heavily before deploying, but I just tried this in my (@Jared RED) development JSS and it worked on 10.8.

#!/bin/sh
user=`ls -l /dev/console | cut -d " " -f 4`
dseditgroup -o edit -a $user admin

I used Jared's get username line and Todd's command.

View solution in original post

nessts · ‎08-27-2012

that is because the AD groups don't exists at home unless they are VPN back to the district.
you have to specifically run
dseditgroup -o edit -a username admin
for each user.
there are multiple ways to do that and points in time when it can be done.

lehmanp00 · ‎08-27-2012

Ok. What would be the best way to do this?

ernstcs · ‎08-27-2012

A lot of us would say don't make them an admin! Or at least don't automatically make everyone an admin on every computer. =D

What's been stated is correct. You likely added an AD group to your AD binding 'Allow administration by' that includes all of these users. When AD is unavailable administration from these groups is not available. As suggested users could connect via VPN so they can have the machine talk back to AD if that's an option.

If you want the particular user to have admin, on or off the network, you would need to do what Todd suggests. You could make this an option for the user to run on their own through a Self Service policy. If you're allowing any of them to do it, why not.

I'd say test this heavily before deploying, but I just tried this in my (@Jared RED) development JSS and it worked on 10.8.

#!/bin/sh
user=`ls -l /dev/console | cut -d " " -f 4`
dseditgroup -o edit -a $user admin

I used Jared's get username line and Todd's command.

lehmanp00 · ‎08-27-2012

Thank You both very much for your help!

We have our users install all sorts of thing both at work and at home. They demand it and we were told to do it. I can discuss this with my other Techs and see where we want to go from here.

ernstcs · ‎08-27-2012

I guess the one thing to note here is that unless you limit the scope on this Self Service, ANYONE, who logs into that computer and knows to use this command can make themselves an admin on any box. This is where you need to limit this to the AD group within the policy and require them to login to Self Service.

ernstcs · ‎08-27-2012

And one last statement here, and this is of course me trying to push my views. If these applications or whatever it is you have users install either at home or abroad are available in the JSS as a package, and you have a distribution point that's reachable to the outside world, you could very easily have all of these things available as a Self Service install and start diminishing the need for the end-user to have admin rights. I understand this is not always possible, believe me, but getting a lot of them out of that position is great. I'd rather work the other direction personally, restrict as much as possible, and then make the exceptions.

lehmanp00 · ‎08-28-2012

Here is the command that I got working:

#!/bin/sh
user=`ls -l /dev/console | cut -d " " -f 4`
dseditgroup -o edit -a $user -u admin -p admin

This works if the user to be added to admin group is logged in. However, you still need to know the Admin password so it isn't a great solution but at least we have something for the Techs to run.

ernstcs · ‎08-28-2012

You shouldn't need admin if running through self service...

lehmanp00 · ‎08-28-2012

Full disclosure.

We don't have Casper licenses yet to manage OS X. We use it for iPads only right now. Still tying to find $.

Yes, I have been shamelessly using JAMFNation for help!

ernstcs · ‎08-28-2012

No shame in that. There are some smart nuts in here. We're all trying to accomplish the same management goals whether we use the Casper Suite or not. Of course I may be bias, but having the Casper Suite is totally worth it and will make your life easier overall.

Jamf Nation Community

A Admin User Question