Admins on lab computers with AD accounts

EliasG
Contributor

I have 2 teachers that I need to make Admins on a cart of 30 student macs, the teachers have AD accounts. Our "lab" users dont have admin rights. How can I make them admins so they can do certain things on them?

9 REPLIES 9

MAD0oM
Contributor

heres a Script you can use for this. i'd run it as a policy to the 30 machines that way once they login it would work. Sorry wrong Post before. You can change it from 30mins to however long you want.

#!/bin/bash

##############
# TempAdmin.sh
# This script will give a user 30 minutes of Admin level access.
# It is designed to create its own offline self-destruct mechanism.Figured if i casper went down while running Script # ##############

USERNAME=who |grep console| awk '{print $1}'

# create LaunchDaemon to remove admin rights
#####
echo "<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Disabled</key> <true/> <key>Label</key> <string>com.yourcompany.adminremove</string> <key>ProgramArguments</key> <array> <string>/Library/Scripts/removeTempAdmin.sh</string> </array> <key>StartInterval</key> <integer>1800</integer> </dict> </plist>" > /Library/LaunchDaemons/com.yourcompany.adminremove.plist
#####

# create admin rights removal script
#####
echo '#!/bin/bash
USERNAME=cat /var/somelogfolder/userToRemove
/usr/sbin/dseditgroup -o edit -d $USERNAME -t user admin
rm -f /var/somelogfolder/userToRemove
rm -f /Library/LaunchDaemons/com.yourcompany.adminremove.plist
rm -f /Library/Scripts/removeTempAdmin.sh
exit 0' > /Library/Scripts/removeTempAdmin.sh
#####

# set the permission on the files just made
chown root:wheel /Library/LaunchDaemons/com.yourcompany.adminremove.plist
chmod 644 /Library/LaunchDaemons/com.yourcompany.adminremove.plist
chown root:wheel /Library/Scripts/removeTempAdmin.sh
chmod 755 /Library/Scripts/removeTempAdmin.sh

# enable and load the LaunchDaemon
defaults write /Library/LaunchDaemons/com.yourcompany.adminremove.plist Disabled -bool false
launchctl load -w /Library/LaunchDaemons/com.yourcompany.adminremove.plist

# build log files in /var/somelogfolder
mkdir /var/somelogfolder
TIME=date "+Date:%m-%d-%Y TIME:%H:%M:%S"
echo $TIME " by " $USERNAME >> /var/somelogfolder/30minAdmin.txt

# note the user
echo $USERNAME >> /var/somelogfolder/userToRemove

# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin

# notify
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain_Unlocked.png -heading 'Temporary Admin Rights Granted' -description "
Please use responsibly. All administrative activity is logged. Access expires in 30 minutes." -button1 'OK' > /dev/null 2>&1 &

exit 0

GaToRAiD
Contributor II

Depends on how they the lab users are setup? Are they local accounts or AD accounts as well?

If the lab users are local accounts and the teachers are AD accounts, you can do the following:

#!/bin/sh
listUsers=`dscl . -list /Users`
for user in $listUsers
do
    ID=$(dscl . -read "/Users/$user" UniqueID | cut -d ' ' -f 2 )
    if [ $ID -gt 501 -a $ID -lt 600 ]; then
        /usr/sbin/dseditgroup -o edit -a $user -t user admin
    fi
done

roiegat
Contributor III

Well lets look at it from another angle. What do they need to do that requires admin? Is it something you could add in Self Service?

The reason I bring it up is because I have a script that grants the user admin rights, but then you'd have to run another script to remove those admin right when they were done using it.

MAD0oM
Contributor

or if you just really truly want to give access to them and not worry about it just run this

/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin

Changing the USERNAME part to the users.

joshuasee
Contributor III

And for the daring:

You can specify which AD groups get admin privileges using a configuration profile, but not with the built in Casper tools. If you have an existing AD profile in the JSS, download it and strip off the signature with:

openssl smime -inform DER -verify -in /path/to/some.mobileconfig -noverify -out /path/to/unsigned.mobileconfig

Then open the unsigned one in your favorite text editor and edit to add the ADDomainAdminGroupList and ADDomainAdminGroupListFlag per http://support.apple.com/kb/HT5981. Upload the new config to the JSS, and distribute it to joined machines, while descoping them from the previous configuration profile.

The process is more tedious and error prone than other techniques, but also requires fewer parts (no policy or scripts necessary), and can recover from some failure modes without IT staff attention.

franton
Valued Contributor III

My variation was to create an extension attribute as a text entry box. Then I use the following script:

https://github.com/franton/Add-Users-as-Admin-JSS

This has the beauty of being able to control admins on an individual computer basis.

davidacland
Honored Contributor II

I would use the "allow administration by..." Option in directory utility. You can add an AD group that contains these teachers and they will be treated as admins when they login.

franton
Valued Contributor III

@davidacland That works well as long as you don't have connection issues to your AD. Otherwise you'll find admin randomly doesn't apply to the account.

davidacland
Honored Contributor II

Agreed, for mobile / remote users I would add them to the admin group. I was thinking that as I was typing my last response but thought as they're lab computers a simple GUI solution might be sufficient :)