Help

Admin rights for AD user accounts

lehmanp00
Contributor III

Posted on ‎09-09-2014 06:05 AM

In the AD client, I have a AD group in the "Allow Administration By" field under the Administrative tab.

When a network user logs in, the get an account just fine. It even says "Administrator" in the user list in Sys Prefs. However, when they try to use their username/password to authenticate as an admin to install something, OSX says they don't have rights.

These are 10.9.4 clients so far. Any other way to easily give users admin rights?

0 Kudos
3 REPLIES 3

elund
New Contributor III

Posted on ‎09-09-2014 06:23 AM

Yes there is a script that you can run to make the user an Admin.

#!/bin/bash 
#
####################################################################################################
#
# Copyright (c) 2013, JOHN KITZMILLER.  All rights reserved.
#
#       THIS SOFTWARE IS PROVIDED BY JOHN KITZMILLER "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JOHN KITZMILLER BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
#       This program is distributed "as is" by John Kitzmiller. For more
#       information or support for this script, please visit kitzy.org.
#
#####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
#   makeAdminUser.sh
#
####################################################################################################
#
# HISTORY
#
#   Version: 1.0
#
#   - Created by John Kitzmiller
#
####################################################################################################

# Check to make sure $3 is set properly by the JSS, if not, set the current username manually
# This is a workaround for D-005003 (resolved in 9.01)

if [ -z $3 ]; 
    then 
        currentUser=`stat -f '%Su' /dev/console` 
    else 
        currentUser=$3 
fi 

# Add the current user to the local admin group on the Mac

dseditgroup -o edit -a $currentUser -t user admin

if [ "$?" == "0" ];
    then
        echo "Successfully added $currentUser to admin group"
    else
        echo "ERROR: Unable to add $currentUser to admin group"
        exit 1
fi

exit 0
0 Kudos

RogerH
Contributor II

Posted on ‎10-02-2014 08:13 AM

Is there a way to make this script check the JSS for the assigned user and only grant admin rights to that account?

0 Kudos

nessts
Valued Contributor II

Posted on ‎10-02-2014 08:17 AM

Given the right motivation, and talent anything is possible.

0 Kudos