Assign admin privilege to specific Active Directory group through DEP PreStage

New Contributor III

Previously, we have a script that binds our macOS devices into AD. We allow our staff to become the admin on the computer by setting the AD staff group under "Allow administration by". The user has admin privilege when they are inside the network, and it got removed when they are outside of the network.

We switch over to the DEP PreStage process and set up the Directory step. The macOS devices bind to our AD but it doesn't respect Allow Administration Group setting within the DEP PreStage. We try the group AD name (AllStaff) and domain name before the group (districtAllStaff) to no available.

Does anyone successfully assign admin privilege to an AD group with the DEP PreStage Directory step?


Contributor III

Last year I started working on a script that would run when any system gets enrolled that would access an smb share where it would pull a csv file containing a list of our systems with serial numbers of each one along with the name they should be and the name of the user on the system that should get admin access. The script would take that info and configure the system appropriately before binding it to our domain. I recall getting much of it to work but other projects got in the way of me finishing it. Unfortunately, it's not in a state that I am willing to share just yet. At any rate maybe by me sharing that much you might find it informative enough to put together your own solution.

There's a lot to be said about DEP but unless you're a really small shop I think scripting the binding process is a much better solution than using the stuff provided in Jamf. In our case we don't want users to be able to walk up to any system and have admin access hence the reason I was looking to configure specific users to specific systems. If you're wanting to use a group though, you don't need to get anywhere close to the level of script that I was developing.

For what it's worth I'll actually be working on this again soon. Once done(and working) I'll probably throw it up here for those interested and for others to critique my amazing(not) scripting prowess.

Don't know if any of that helps but you know what they say...sharing is caring. ;-)

New Contributor III

I would recommend doing the AD bind via a policy. This way, you can guarantee that your computers are following your naming convention. The policy will allow you to do allow administration by AD Groups.

New Contributor III

I'm seeing the same issue as @hphan. DEP pre-stage enrollment is not elevating users to admin that are in the assigned admin groups. If I run the command via a script from Jamf

dsconfigad -groups "group1_here,group2_here"

the script elevates users to admin as excepted but not at first login from the pre-stage enrollment. Anyone out there get this working?