Posted on 04-08-2016 10:55 AM
I use a script to enable ARD and give the local administrator account full access. I was asked to provide ARD access to Active Directory users. Can that be done? Even if I try to manually add them, I dont get the option from selecting AD users, only local accounts.
Posted on 04-08-2016 02:12 PM
Usually what you do when you want to have ARD directory authentication is to create a local group "ard_admin" using dscl and then nest the Active Directory group or users inside of this local group.
This is the script i've used to implement ARD AD authentication in my environment:
#First, create a Local group
sudo dscl . -create /Groups/ard_admin
sudo dscl . -create /Groups/ard_admin PrimaryGroupID "530"
sudo dscl . -create /Groups/ard_admin Password "*"
sudo dscl . -create /Groups/ard_admin RealName "ard_admin"
sudo dscl . -create /Groups/ard_admin GroupMembers ""
sudo dscl . -create /Groups/ard_admin GroupMembership ""
# Nest the AD group you want to have ARD access to the ard_admin group you just created. This is done with the dseditgroup command:
sudo dseditgroup -o edit -a "UNTSomeGroupName" -t group ard_admin
#Now that you have a local group with an AD group nested inside, you can give your group the necessary privileges via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -activate -configure -access -on -privs -all -users ard_admin -restart -agent
#Just to be safe we want to make sure access is only allowed for the Specified Users, again do this via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -allowAccessFor -specifiedUsers
#The last step in this process is to set the ARD client options to allow directory logins, again do this via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -clientopts -setdirlogins -dirlogins yes
#To add a single Active Directory user to the local ard_admin group, do not use dscl to add or delete individual users. Use dseditgroup with the -a (to add) or -d (to delete) options.
sudo dseditgroup -o edit -a EUID -t user ard_admin
Posted on 04-11-2016 04:41 AM
@djrich29 Thanks, I'll give it a try.
Posted on 04-12-2016 12:22 PM
Doing something wrong. Seems like it cannot find the AD group.
Posted on 05-01-2020 05:31 PM
I'm using this to give single AD users access to ARD. While it's working, I'm not seeing the users populate in the Remote Management pref pane. Is this to be expected? Tested on macOS 10.12.6 thus far.
Posted on 01-24-2021 05:43 PM
@djrich29 thanks for the script. It works great. This is particularly relevant right now with remote learning.
For those that have a local admin account that you also want to give ARD access (since the script will change access to specified users instead of all) I was able insert this additional line after giving access to the ard_admin group:
#Give a local account the necessary privileges via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -access -on -privs -all -users ITAdministrator -restart -agent
In this case I added the local account "ITAdministrator". Be aware that the account name will be case sensitive (the lowercase shortname "itadministrator" wouldn't have worked). You can usually use
dscl . list /Users
to figure out the needed capitalization.
Posted on 01-25-2021 01:30 PM
Usually what you do when you want to have ARD directory authentication is to create a local group "ard_admin" using dscl and then nest the Active Directory group or users inside of this local group.