Jamf Nation Community

mkimmel_us · ‎08-02-2013

We have just completed imaging and AD binding several hundred MacBooks for our students, and neglected to add a group the binding options. Is it possible to add a group to the administration area of the Directory Utility via policy or script, or something similar? We'd like to avoid logging into all of them again if we can.

Alternatively, if anyone has a script to place the currently logged in user into the local administrator group that would also work.

Thanks for any help!

Mike

bajones · ‎08-02-2013

I would recommend the "dsconfigad" command. Taking a look at the man page for that command, it appears you should be able to perform this task in the following format:

dsconfigad -group "group1@domain.com,group2@domain.com"

I have not tested this so please take a look at the man page for dsconfigad and try it on a test computer. The command should be able to be pushed via ARD or casper remote/policy. I believe it requires root privileges.

mkimmel_us · ‎08-02-2013

Okay, testing with ARD appears to reflect a positive result with your command. Thank you. It has, however, had no effect on any user that is within the groups added. This is apparently a known AD bug.

So, now I'm stuck from the AD side of things, it seems, and that brings me back to the possibility of using a command that makes the currently logged in user a member of the local admin group. Is that possible?

Mike

bajones · ‎08-02-2013

There's several threads on this board that explain how to add a local user to the admin group (https://jamfnation.jamfsoftware.com/discussion.html?id=6449 has some examples). This is actually preferable in a lot of cases since the "Allow Administration By" attribute generally has no effect when the computer can't reach the DC.

mkimmel_us · ‎08-02-2013

Thanks a lot bajones. My searching did not yield links like that one. Guess my terms were not great.

Mike

Jamf Nation Community

Adding groups to "Allow administration by:" in Directory Utility