Admin Service account using AD


Our security team is looking for a way that when a clients request for admin privileges they go through an approval process and if they do get approved, we create an AD account called USERNAME_loc. Since we have mostly PC on the campus, they have set up a special OU where these accounts leave and they use GPOs to set up the local account to only work on their assign computers.

Our security team wants something similar to the Mac environment where we give the USERNAME_loc local admin rights to the machine, however, they do not want the account to be able to log in. I already created a script to auto-create the account and give it admin rights using policy triggers on JAMF but what is holding me back is restricting the account to log in. Has anyone had any ideas on what I can do?


Valued Contributor

You could somehow trigger the

pkill loginwindow

command when that user logs in (login policy, launch agent, etc.) so even if they login they get kicked back out the login window.

There is likely a way to accomplish what you want using the authorizationdb via the security command, but I unfortunately don't know what that path would be.

Contributor III

Instead of creating the account locally on the Mac, you can use the account created in AD. Add that OU to the admin group when you bind (in the "Administrative" Tab in the Directory Bindings section of JSS, or via a script to apply it retroactively):

dsconfigad -groups "domainadmin group"

As for disabling interactive login, I am not 100% how to disable that. You could create policy with the command

pkill loginwindow

in the JSS and scope it to all users with the limitation of an LDAP group (which would be the OU that those user accounts live in). I've never tried scoping like that so you'll want to test it thoroughly.