Help

Automatically make Mobile Accounts Admins

leeskade
New Contributor III

Posted on ‎08-31-2018 08:05 AM

Hello all!

I'm looking to set Mobile Accounts to be administrators from the get go, before they've even been created. As default Mobile Accounts are set to standard, i'd like created mobile accounts to obtain administrator capabilities as default (if possible).

I've had a look at the following script from an old discussion: https://www.jamf.com/jamf-nation/discussions/7021/scripting-the-creation-of-ad-mobile-accounts-in-os-x

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n dscl . -append /Groups/admin GroupMembership $4

This doesn't appear to run in High Sierra for me, not sure if it relates more to scripting the creation of mobile accounts. I'm happy for the mobile account to be created on login as they currently are, i just want the users to automatically be an admin.

Any thoughts or help appreciated.

0 Kudos
Reply
1 REPLY 1

mm2270
Legendary Contributor III

Posted on ‎08-31-2018 08:34 AM

That command won't work. The -n flag expects to get a username for an account that exists in Active Directory, not a command like what you have there. Unless that was supposed to be a second command on it's own line. Even if it was, you need to specify a username with -n when using the createmobileaccount

As for then making that account a local admin, you will want to use the dseditgroup command. dscl shouldn't really be used any more for changing admin status and even group memberships on accounts. It's still useful for other things, but I would not use it anymore for changing admin status.

Example with dseditgroup:

dseditgroup -o edit -a <username> admin

The above requires root or sudo to work, but if it's done from a script running in a policy, that's taken care of.

You can check the admin status of the account after the command above is run with:

dseditgroup -o checkmember -m <username> admin
0 Kudos
Reply