Help

admin access to install software at home with mac

EliasG
Contributor

Posted on ‎04-07-2014 12:50 PM

I have 20 new macbook pro's that i just gave to teachers. I added the group they belong in AD to the mac in "allow administration by" They can install software when they are in our network with no issues with admin rights. As soon as they go home they are no longer admin's. Any idea what I can do to fix this issue? I will soon have 260 more macs coming in so I need to fix this problem with the 20.

8 REPLIES 8

don_cochran
New Contributor III

Posted on ‎04-07-2014 12:55 PM

Try this command

sudo dscl . append /Groups/admin GroupMembership “User Name here”

0 Kudos

cstout
Contributor III
Contributor III

Posted on ‎04-07-2014 01:28 PM

Yes, that's because when the computer no longer has communication with the network it cannot verify network group membership. If you only have a few computers then you can do the command above for each user/computer that requires admin access while away. Since I've got such a large portables population here, I had to make a login policy script that would verify whether or not the user logging in has admin privileges because of their network group, if yes, then it would also add them to the local admins group.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎04-07-2014 01:29 PM

My advice. As mentioned, add the users into the local admin group , since as you already discovered, the "Allow administration by" setting only works when the Mac is in range of your domain controller(s), but don't use dscl append for this. its not intelligent and will happily add in multiple entries of the same account each time its run into the group, potentially leaving you with a mess to clean up later should you decide to remove someone from the admin group.

Apple's sanctioned way of doing this is with dseditgroup. It doesn't have the same problem mentioned above.
You can run the following as a login script on each Mac.

#!/bin/sh

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )

/usr/sbin/dseditgroup -o edit -a $loggedInUser -t user admin

Note that you could also use $3 with a login script instead of capturing the logged in user as above. I personally prefer to get that information myself in my scripts since it makes them easier to run in various contexts, but I did want to mention that.

BTW, this topic has actually been covered here on JAMFNation in possibly a half dozen or more threads. Not sure if you searched and they just didn't come up, but they are definitely there.

0 Kudos

jeffs
New Contributor

Posted on ‎04-07-2014 04:37 PM

I found this really helpful: http://www.kitzy.org/blog/2014/1/15/how-to-make-active-directory-users-local-admins

0 Kudos

gmarnin
New Contributor III

Posted on ‎04-08-2014 06:43 AM

Watch the part on admin rights: http://www.jamfsoftware.com/resources/getting-users-to-do-your-job-without-them-knowing-it/

Scripts: https://github.com/andrina/JNUC2013/tree/master/Users%20Do%20Your%20Job/MakeMeAdmin

0 Kudos

EliasG
Contributor

Posted on ‎04-09-2014 11:19 AM

I tried those scripts but had no luck

0 Kudos

jwojda
Valued Contributor II

Posted on ‎04-09-2014 11:23 AM

we have the same issue.

0 Kudos

EliasG
Contributor

Posted on ‎04-09-2014 11:38 AM

@jwojda its very frustrating :)

0 Kudos