Posted on 10-24-2014 07:31 AM
I have 2 teachers that I need to make Admins on a cart of 30 student macs, the teachers have AD accounts. Our "lab" users dont have admin rights. How can I make them admins so they can do certain things on them?
Posted on 10-24-2014 07:38 AM
heres a Script you can use for this. i'd run it as a policy to the 30 machines that way once they login it would work. Sorry wrong Post before. You can change it from 30mins to however long you want.
#!/bin/bash
##############
# TempAdmin.sh
# This script will give a user 30 minutes of Admin level access.
# It is designed to create its own offline self-destruct mechanism.Figured if i casper went down while running Script
#
##############
USERNAME=who |grep console| awk '{print $1}'
# create LaunchDaemon to remove admin rights
#####
echo "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.yourcompany.adminremove</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Scripts/removeTempAdmin.sh</string>
</array>
<key>StartInterval</key>
<integer>1800</integer>
</dict>
</plist>" > /Library/LaunchDaemons/com.yourcompany.adminremove.plist
#####
# create admin rights removal script
#####
echo '#!/bin/bash
USERNAME=cat /var/somelogfolder/userToRemove
/usr/sbin/dseditgroup -o edit -d $USERNAME -t user admin
rm -f /var/somelogfolder/userToRemove
rm -f /Library/LaunchDaemons/com.yourcompany.adminremove.plist
rm -f /Library/Scripts/removeTempAdmin.sh
exit 0' > /Library/Scripts/removeTempAdmin.sh
#####
# set the permission on the files just made
chown root:wheel /Library/LaunchDaemons/com.yourcompany.adminremove.plist
chmod 644 /Library/LaunchDaemons/com.yourcompany.adminremove.plist
chown root:wheel /Library/Scripts/removeTempAdmin.sh
chmod 755 /Library/Scripts/removeTempAdmin.sh
# enable and load the LaunchDaemon
defaults write /Library/LaunchDaemons/com.yourcompany.adminremove.plist Disabled -bool false
launchctl load -w /Library/LaunchDaemons/com.yourcompany.adminremove.plist
# build log files in /var/somelogfolder
mkdir /var/somelogfolder
TIME=date "+Date:%m-%d-%Y TIME:%H:%M:%S"
echo $TIME " by " $USERNAME >> /var/somelogfolder/30minAdmin.txt
# note the user
echo $USERNAME >> /var/somelogfolder/userToRemove
# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
# notify
/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType utility -icon /Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain_Unlocked.png -heading 'Temporary Admin Rights Granted' -description "
Please use responsibly.
All administrative activity is logged.
Access expires in 30 minutes." -button1 'OK' > /dev/null 2>&1 &
exit 0
Posted on 10-24-2014 07:40 AM
Depends on how they the lab users are setup? Are they local accounts or AD accounts as well?
If the lab users are local accounts and the teachers are AD accounts, you can do the following:
#!/bin/sh
listUsers=`dscl . -list /Users`
for user in $listUsers
do
ID=$(dscl . -read "/Users/$user" UniqueID | cut -d ' ' -f 2 )
if [ $ID -gt 501 -a $ID -lt 600 ]; then
/usr/sbin/dseditgroup -o edit -a $user -t user admin
fi
done
Posted on 10-24-2014 07:41 AM
Well lets look at it from another angle. What do they need to do that requires admin? Is it something you could add in Self Service?
The reason I bring it up is because I have a script that grants the user admin rights, but then you'd have to run another script to remove those admin right when they were done using it.
Posted on 10-24-2014 07:44 AM
or if you just really truly want to give access to them and not worry about it just run this
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
Changing the USERNAME part to the users.
Posted on 10-24-2014 10:27 AM
And for the daring:
You can specify which AD groups get admin privileges using a configuration profile, but not with the built in Casper tools. If you have an existing AD profile in the JSS, download it and strip off the signature with:
openssl smime -inform DER -verify -in /path/to/some.mobileconfig -noverify -out /path/to/unsigned.mobileconfig
Then open the unsigned one in your favorite text editor and edit to add the ADDomainAdminGroupList and ADDomainAdminGroupListFlag per http://support.apple.com/kb/HT5981. Upload the new config to the JSS, and distribute it to joined machines, while descoping them from the previous configuration profile.
The process is more tedious and error prone than other techniques, but also requires fewer parts (no policy or scripts necessary), and can recover from some failure modes without IT staff attention.
Posted on 10-24-2014 10:51 AM
My variation was to create an extension attribute as a text entry box. Then I use the following script:
https://github.com/franton/Add-Users-as-Admin-JSS
This has the beauty of being able to control admins on an individual computer basis.
Posted on 10-24-2014 11:27 AM
I would use the "allow administration by..." Option in directory utility. You can add an AD group that contains these teachers and they will be treated as admins when they login.
Posted on 10-24-2014 11:32 AM
@davidacland That works well as long as you don't have connection issues to your AD. Otherwise you'll find admin randomly doesn't apply to the account.
Posted on 10-24-2014 11:40 AM
Agreed, for mobile / remote users I would add them to the admin group. I was thinking that as I was typing my last response but thought as they're lab computers a simple GUI solution might be sufficient :)