I have 20 new macbook pro's that i just gave to teachers. I added the group they belong in AD to the mac in "allow administration by" They can install software when they are in our network with no issues with admin rights. As soon as they go home they are no longer admin's. Any idea what I can do to fix this issue? I will soon have 260 more macs coming in so I need to fix this problem with the 20.
Question
admin access to install software at home with mac
+10
+16Yes, that's because when the computer no longer has communication with the network it cannot verify network group membership. If you only have a few computers then you can do the command above for each user/computer that requires admin access while away. Since I've got such a large portables population here, I had to make a login policy script that would verify whether or not the user logging in has admin privileges because of their network group, if yes, then it would also add them to the local admins group.
+24My advice. As mentioned, add the users into the local admin group , since as you already discovered, the "Allow administration by" setting only works when the Mac is in range of your domain controller(s), but don't use dscl append for this. its not intelligent and will happily add in multiple entries of the same account each time its run into the group, potentially leaving you with a mess to clean up later should you decide to remove someone from the admin group.
Apple's sanctioned way of doing this is with dseditgroup. It doesn't have the same problem mentioned above.
You can run the following as a login script on each Mac.
#!/bin/sh
loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
/usr/sbin/dseditgroup -o edit -a $loggedInUser -t user adminNote that you could also use $3 with a login script instead of capturing the logged in user as above. I personally prefer to get that information myself in my scripts since it makes them easier to run in various contexts, but I did want to mention that.
BTW, this topic has actually been covered here on JAMFNation in possibly a half dozen or more threads. Not sure if you searched and they just didn't come up, but they are definitely there.
+1I found this really helpful: http://www.kitzy.org/blog/2014/1/15/how-to-make-active-directory-users-local-admins
+3Watch the part on admin rights: http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/
Scripts: https://github.com/andrina/JNUC2013/tree/master/Users%20Do%20Your%20Job/MakeMeAdmin
+23we have the same issue.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.