Help

AD user admin rights

EliasG
Contributor

Posted on ‎02-27-2015 11:33 AM

Is there a way for me to make a certain AD user an admin on a mac cart of 30 macbook air's?

0 Kudos
7 REPLIES 7

cmarker
Contributor

Posted on ‎02-27-2015 12:34 PM

In the directory bindings, under the Administration tab you can set a group or groups in the "Allow administration by" field to an AD security group that the user belongs to.

If you want it to be just that cart, create a separate binding for that cart specifically.

0 Kudos

RobertHammen
Valued Contributor II

Posted on ‎02-27-2015 12:41 PM

Yes, in your AD binding prefs (must apply to all of the Macs in the cart), you can specify AD groups that are automatically admins on a machine.

Directory Utility->Active Directory->Administrative tab, checkbox for "Allow Administration by:" - click the + and add each AD group (must spell the group name correctly ;-)
If you do this via the JSS AD bind, it's very similar, except you get a text field and must type the groups, separated by commas. Be aware not to leave a space between the comma delimiting group names and the next name, or else those groups won't be admins (learned this the hard way once a long time ago ;-)

Hope this helps,

--Robert

0 Kudos

EliasG
Contributor

Posted on ‎02-27-2015 12:45 PM

What if the cart has already been binded and enrolled in our systems...

0 Kudos

Josh_Smith
Contributor III

Posted on ‎02-27-2015 01:40 PM

I use the following script to add AD groups as admins to an existing binding. To use it you would enter the security group name in the $4 parameter.

#!/bin/bash

CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="yourdomain\$4"

dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`

if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
    then
        echo "$LOGHEADER $SCRIPTNAME result: Admin Groups configured successfully." >> /var/log/yourfile.log
        exit 0
    else
        echo "$LOGHEADER $SCRIPTNAME result: Unable to set admin groups." >> /var/log/yourfile.log
        exit 1
fi

CavCurator
New Contributor II
In response to Josh_Smith

Posted on ‎08-09-2024 08:10 AM

This worked beautifully - thanks for sharing!

0 Kudos

RobertHammen
Valued Contributor II

Posted on ‎02-27-2015 01:48 PM

script to unbind, and a policy to rebind using the new AD binding settings.

https://derflounder.wordpress.com/2013/10/09/force-unbinding-with-dsconfigad-without-using-an-active-directory-admin-account/

Be aware that this won't remove the Computer Object from AD, but that shouldn't be a big deal in this situation.

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎02-28-2015 03:33 AM

@EliasG, We did what @Josh.Smith recommended a while ago across our client estate.

We then added that group to our binding, & when building Mac servers via Casper we then added a step to remove the same group.

No need to unbind then rebind.

0 Kudos