Admin Rights for Remote Employees

New Contributor II

Is it possible to grant local admin rights for a remote user? We are doing local accounts but this user is remote and needs Admin rights.


Contributor II

@FloridaChris Take a look at this assuming you know who's remote and who is not, This can be easily resolved.

Valued Contributor II


+1 @ - @mack525 is spot on. That 110% works, but if you are not familiar with python and if you are familiar with shell, here is a shell script that was shared with me, its not perfect, you will need to customize it for checks when logging off, shutting down, etc because if the users shuts the computer down while the script is running, they can stay perm administrator. again, it is flawed, but if you know shell and can set it up for your environment how you see fit, it works wonders. Hopefully some other users can chime in on alternative solutions, or better yet, a more polished solution.


# Get username of current logged in user
# This method breaks if you allow multiple accounts logged in.
USERNAME=$(who|grep console|awk '{print $1}')

membership=$(dsmemberutil checkmembership -U $USERNAME -G admin)
if [ "$membership" == "user is not a member of the group" ];
        if ! launchctl list|grep -q; then launchctl load -w /System/Library/LaunchDaemons/; fi
        /usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
        echo dseditgroup -o edit -d $USERNAME -t user admin|at now +5 minutes &>/dev/null
        /Library/Application Support/JAMF/bin/ -windowType hud -description "$USERNAME has been granted Administrative rights for 5 minutes." -title "Administrative rights" -button1 "OK" -icon /Library/User Pictures/Animals/Eagle.tif -timeout 3 &>/dev/null
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

New Contributor II

If it's a one off user you're trying to add remote admin rights to; create a policy with a 'files and processes' payload of:

sudo dscl . -append /Groups/admin GroupMembership USERNAME

and target it to their machine for either self service or once off checkin.

In general though, one of the above mentioned solutions is going to be more complete.