admin access to install software at home with mac

EliasG
Contributor

I have 20 new macbook pro's that i just gave to teachers. I added the group they belong in AD to the mac in "allow administration by" They can install software when they are in our network with no issues with admin rights. As soon as they go home they are no longer admin's. Any idea what I can do to fix this issue? I will soon have 260 more macs coming in so I need to fix this problem with the 20.

8 REPLIES 8

don_cochran
New Contributor III

Try this command

sudo dscl . append /Groups/admin GroupMembership “User Name here”

cstout
Contributor III
Contributor III

Yes, that's because when the computer no longer has communication with the network it cannot verify network group membership. If you only have a few computers then you can do the command above for each user/computer that requires admin access while away. Since I've got such a large portables population here, I had to make a login policy script that would verify whether or not the user logging in has admin privileges because of their network group, if yes, then it would also add them to the local admins group.

mm2270
Legendary Contributor III

My advice. As mentioned, add the users into the local admin group , since as you already discovered, the "Allow administration by" setting only works when the Mac is in range of your domain controller(s), but don't use dscl append for this. its not intelligent and will happily add in multiple entries of the same account each time its run into the group, potentially leaving you with a mess to clean up later should you decide to remove someone from the admin group.

Apple's sanctioned way of doing this is with dseditgroup. It doesn't have the same problem mentioned above.
You can run the following as a login script on each Mac.

#!/bin/sh

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )

/usr/sbin/dseditgroup -o edit -a $loggedInUser -t user admin

Note that you could also use $3 with a login script instead of capturing the logged in user as above. I personally prefer to get that information myself in my scripts since it makes them easier to run in various contexts, but I did want to mention that.

BTW, this topic has actually been covered here on JAMFNation in possibly a half dozen or more threads. Not sure if you searched and they just didn't come up, but they are definitely there.

jeffs
New Contributor

I found this really helpful: http://www.kitzy.org/blog/2014/1/15/how-to-make-active-directory-users-local-admins

gmarnin
New Contributor III

Watch the part on admin rights: http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/

Scripts: https://github.com/andrina/JNUC2013/tree/master/Users%20Do%20Your%20Job/MakeMeAdmin

EliasG
Contributor

I tried those scripts but had no luck

ImAMacGuy
Valued Contributor II

we have the same issue.

EliasG
Contributor

@jwojda its very frustrating :)