Jamf Nation Community

Yes, we are using mobile accounts, I found out a little more, there is a VBScript that checks for all the local accounts on the machine, then passes that up to the afore mentioned URL/DB. The DB returns back a string that has basically approve / deny for every account that was passed. From there depending on the approve/deny for each user it either grants or revokes admin…

So if the local machine sends domainuser1;domain2user2;domainuser3, the DB sends back a string that will say domainuser1=approve;domain2user2=deny;domainuser3=approve

And from there the VBScript will grant / remove local admin rights.

So my next question, since I know next to nothing about shell scripting and that is 10x more than I know about VBScript, how can I go about converting?

I see that extension attributes will use VBScript, is that something I can plug the script in and somehow manipulate the results back to grant/revoke/do nothing for the admin rights?

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger <mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris <mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta Ana

Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

“Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan”

Why aren't the people just added to a Local Admin group in your Directory
Service?

Ryan M. Manly
Glenbrook High Schools

Because that will give them access to everyone's mac as admin.

Patrick Bachuwa
Desktop Engineering Applications Sears Holdings Corporation
Michigan Campus
3000 W. 14 Mile Road
Royal Oak, MI 48073-1717
Phone: 248 637-0350

Details details...

;)

Ryan M. Manly
Glenbrook High Schools

Too much coffee...or not enough?

OK, I have a question then since I do not use AD here I am not sure how
dscl will read AD attributes.

Could you set up, say a specific group in AD of AD users that get local
admin? Then check to see if that user is in fact a member of that
specific AD group? Then scope out policy based on scripts for that
particular set of data? Then deploy it via Casper and it should work on
every machine that specific user logs into.

Like for example, if you simply do this?

dscl . read /Users/someuseraccount

Does it display all the AD groups this user is in?

-Tom

This system is actually a separate system all together and not tied into AD. The company has so much silod that it would be a nightmare every time we had to engage the AD team to add someone.

That being said, the dscl command returned, what looks like encrypted data for cached_groups

John Wojda

Lead System Engineer, DEI & Mobility

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead DEI: Matt Beiriger <mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Team Lead Mobility: Chris <mailto:cstaana at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Feedback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.> Sta Ana

Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

“Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan”

i did something similar awhile back.

admin access was assigned to "deputy" accounts in AD based on a given machine's membership in the correct OU.

so let's say for account "bob" on a machine in the correct "special_admin" OU, this script will create a mobile admin account for "admin_bob" or any others that are required. Any added account names are written to a file under /Library/Receipts, so the changes can be reverted if needed, even if the machine can't contact AD.

https://github.com/rockpapergoat/scripts/blob/master/accountmanagement/deputize.rb

it's not my best work, but maybe you can get some ideas from this.

The solution is much simpler.

In the Administrative Tab of Directory Utility you simply set "Allow
Administration by:"

then in my experience that doesn't work unless you also set in the Mappings
tab "Map group GID to attribute:" gidNumber. There is some RFC for
extending the schema for UNIX info that this falls under.

Then gidNumber needs to be set in the Attribute editor of ADUC. I set ours
to 31337 for eveyone in the IT group. ;)

But as stated above that makes them an admin on every box bound to AD via
Casper with these settings in place.

dscl can check the group membership in AD with this command.

dscl "/Active Directory/All Domains" read /Users/rmanly memberOf

The interesting thing is the response from the id command when the "Map
group GID..." setting is turned on and off. When it IS mapped that is the
only group from AD that the user is a member of. All of the rest are the
standard *NIX group memberships. When the GID number is NOT mapped ALL of
the AD group memberships are listed.

This is not an issue though because I don't care about any of those Windows
groups (except IT staff) in Mac OS.

Ryan M. Manly
Glenbrook High Schools

btw that previous post was just an FYI for Larkin.

When you do get this figured out I would like to see the details because we
have many users that are admins on only "their" laptop as well. Currently I
have my guys run an Automator applet on the local admin users desktop and
punch in the User's network account name which adds them to the admin group.

It would be nice to do some sort of automated setup as the Machine name
includes a portion of the username anyway...seems like a lot of up front
work, though it would be cool to automate it all.

Ryan M. Manly
Glenbrook High Schools

Can I assume you are talking about Lion? We had no problems using the AD plugin on 10.6.x and having all mapped groups work. We did see something similar to what you describe with Lion. However, we have Quest VAS available for use and their latest version of the plugin appears to work as expected on Lion, fixing Apple's AD problem. I imagine that the other 3rd party plugins out there also fix Apple's broken AD plugin problem.

Sean

It is 10.6.x but the IT staff group is the only one with a value set in AD.
;)

Ryan M. Manly
Glenbrook High Schools

--missing content--

ant admin rights, where I add their machine name to the scope.<br>

<br>
<br>
The trigger is every 15, and done Once per computer.<br>
<br>
<br>
What I would like to know is if there is a way to set the admin based off u
ser name so the end user has admin if they sign on to another machine or to re-apply if the machine gets reimaged. As it stands now, if the machine ge
ts reimaged I have to create a new policy to push the rights to them, which is cumbersome at the least, but if it can be reapplied somehow that would be great.<br>

<br>
<br>
I did try setting up a self-service to do it, by in the same policy I selec
ted Allow this policy to be used for Self Service, but I can=92t get it to display in SS to give the user the option of re-adding admin based on their machine name.<br>

<br>
<br>
Any ideas how to streamline this a bit better?<br>
<br>
<br>
Ultimately, I=92d like to get the process to follow our PC process where at every login the machine passes the user id to a DB and depending on the us
ers status in the DB (Admin or not) it would grant / revoke as needed, so I don=92t need to mess with the policy at all.<br>

<br>
<br>
<br>
John Wojda<br>
<br>
Lead System Engineer, DEI &amp; Mobility<br>
<br>
3333 Beverly Rd. B2-338B<br>
<br>
Hoffman Estates, IL 60179<br>
<br>
Phone: <a href"tel:%28847%29286-7855" value"+18472867855">(847)286-78
55</a><br>
<br>
Page: <a href"tel:%28224%29532.3447" value"+12245323447">(224)532.344
7</a><br>
<br>
Team Lead DEI: Matt Beiriger<br>
<br>
Team Lead Mobility: Chris Sta Ana<br>
<br>
Mac Tip/Tricks/Self Service &amp; Support<br>
<br>
<br>
=93Any time you choose to be inflexible in your approach to an unpredictabl
e project you are already building failure into your plan=94<br>
<br>
<br>
<br>