Admin Rights through AD Group

jamesdurler
Contributor

Hi guys,

Currently we assign admin rights through AD user groups to machine. This works fine when on our organisations network. However, if we take a machine off the network users lose admin rights.

They log in off the network and they are seen as not a member of the AD groups so privileges are revoked.

Is there a way you can get these to stick? It seems a bit volatile that not being able to talk to our directory server is an assumption that the user is not a member of the group.

I have a few ideas on how I can force it but its a bit messy.

11 REPLIES 11

jamesdurler
Contributor

okay , not sure if this interests anyone but I have a way to stamp admin.

I have written an ongoing script, that gets the computers group membership, then gets the corresponding AD user group (we link these 2 groups through a local admins text file on our casper share).

The user groups membership is queried, and then admin is stamped for the users who are meant to have admin (added to the local admin). There is lots of error checking in there as well. Initial testing seems good.

The only thing we've added into this group is a caching of this membership onto the local system in the form of flags to stop the macs (we have 3000 of them) from overloading the directory servers. This cache is cleared on a regular basis via policy.

If anyone else is having issues with admin rights dropping on AD groups off network I can share my script(s)/workflow with you. Just drop me a message or reply to this thread :)

jarednichols
Honored Contributor

This is by design. OS X has to be within sight of a Domain Controller to obey that setting. There's lots of scripts here to hard-code admin rights.

jamesdurler
Contributor

Yea quickly realised that. Alot of the admin scripts here didn't fit with our workflow though and required me to do something a bit different

davidacland
Honored Contributor II

FWIW we quite often just tick the "Allow user to administer this computer" checkbox which adds them to the local admin group. Just means its a manual step which might not be desirable.

We've also gone down the route of setting the JSS allocated user as admin via an API script which worked ok.

bulla80
New Contributor

Easy fella, how's you? Does this work with el crapitan?

jamesdurler
Contributor

Hello Mr.Straker,

I believe it is - the problem we had at UAL is we grant admin access through AD security groups, then add them to the local admin group.

We didn't really want to go round and start manually ticking 'allow this user to administer this machine' as it renders the groups useless, and also if we decide at a later date that a user in a group no longer requires admin they have been hardcoded admin through the GUI.

Basically what my script does is that ticking automatically based on whether or not that user has group membership. It also works the other way where it will revoke admin and do the 'untick'.

Can share it with you if you want or anyone that is interested. The only problem is that this Stamp admin script works with our current workflow for assigning admin via a text file on a file share.

bulla80
New Contributor

I see you have been busy with all your certs!!! Are you Numero Uno there now Casper wise?? We have a meeting with JAMF here yesterday and it looks like we are going to implement is so I will be picking your brains a lot, will your AD script work outside of Casper? Can I get a copy to look over?

jamesdurler
Contributor

Yea the script will work outside of Casper. I can send it over to you if you want , along with forcing admin rights.

It depends how you want to assign admin though, single user to single machine or group based? You got my e-mail right?

bentoms
Release Candidate Programs Tester

@jamesdurler maybe this will help?

bulla80
New Contributor

Hi James, never got your email, which address did you send it to?

jamesdurler
Contributor

Hi adam,

Drop me a line to j.durler@arts.ac.uk and i'll forward you the scripts

cheers