Jamf Nation Community

@davidhead I think you might be able to using dscl - something like this...

dscl . -append /Groups/admin GroupMembership AD_user_name.

Then just create a policy that uses Files & process and enter the command above under the process to execute field.

Of course, test the whole work flow first.

Because its the preferred way of adjusting group membership per Apple. That, and dscl . -append is nasty since it doesn't do a check to see if the group has already been added, meaning if it runs repeatedly on the same account it will just keep adding in "admin" group entries to the dscl entry. Later if you need to remove admin rights it will be a mess.

Still, the Local Accounts section of a policy should not be used to add a directory based account to a Mac. That's not what its for in the first place.

Don't forget that when you bind computers to AD, there's the checkbox for "Allow administration by" (and you can enter the name of an AD group there). Most orgs I work with typically have existing groups like "workstation admins" or "desktop admins" for their local IT staff, so I always add these AD groups to the bind options so that users automagically become admins when they log in. Works like a charm.

@RobertHammen

They are only admins while connected to domain correct (whether that is Apple expected behavior or not)? If they are not actively authenticated against domain (i.e. cached account) I don't believe the administrative rights are persistent? I might be mistaken on this ...

Yes, if the local cached mobile account record is not in the local admin group, as soon as they are disconnected from the domain controllers, they lose admin rights. In some cases, this can be useful, but in other cases, it can be a pain.

Thank all of you for your responses. The dseditgroup command worked like a charm, fairly new to Mac account management, appreciate all the help. Actually works better if they only have admin rights while they are connected to the domain.