Posted on 02-27-2015 11:33 AM
Is there a way for me to make a certain AD user an admin on a mac cart of 30 macbook air's?
Posted on 02-27-2015 12:34 PM
In the directory bindings, under the Administration tab you can set a group or groups in the "Allow administration by" field to an AD security group that the user belongs to.
If you want it to be just that cart, create a separate binding for that cart specifically.
Posted on 02-27-2015 12:41 PM
Yes, in your AD binding prefs (must apply to all of the Macs in the cart), you can specify AD groups that are automatically admins on a machine.
Directory Utility->Active Directory->Administrative tab, checkbox for "Allow Administration by:" - click the + and add each AD group (must spell the group name correctly ;-)
If you do this via the JSS AD bind, it's very similar, except you get a text field and must type the groups, separated by commas. Be aware not to leave a space between the comma delimiting group names and the next name, or else those groups won't be admins (learned this the hard way once a long time ago ;-)
Hope this helps,
--Robert
Posted on 02-27-2015 12:45 PM
What if the cart has already been binded and enrolled in our systems...
Posted on 02-27-2015 01:40 PM
I use the following script to add AD groups as admins to an existing binding. To use it you would enter the security group name in the $4 parameter.
#!/bin/bash
CURRENTGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
NEWGROUP="yourdomain\$4"
dsconfigad -groups "$CURRENTGROUPS,$NEWGROUP"
VALIDATEGROUPS=`dsconfigad -show | grep "Allowed admin groups" | awk 'BEGIN {FS = "="};{print $2}' | sed 's/ //'`
if [ "$VALIDATEGROUPS" == "$CURRENTGROUPS,$NEWGROUP" ]
then
echo "$LOGHEADER $SCRIPTNAME result: Admin Groups configured successfully." >> /var/log/yourfile.log
exit 0
else
echo "$LOGHEADER $SCRIPTNAME result: Unable to set admin groups." >> /var/log/yourfile.log
exit 1
fi
Posted on 08-09-2024 08:10 AM
This worked beautifully - thanks for sharing!
Posted on 02-27-2015 01:48 PM
script to unbind, and a policy to rebind using the new AD binding settings.
https://derflounder.wordpress.com/2013/10/09/force-unbinding-with-dsconfigad-without-using-an-active-directory-admin-account/
Be aware that this won't remove the Computer Object from AD, but that shouldn't be a big deal in this situation.
Posted on 02-28-2015 03:33 AM
@EliasG, We did what @Josh.Smith recommended a while ago across our client estate.
We then added that group to our binding, & when building Mac servers via Casper we then added a step to remove the same group.
No need to unbind then rebind.