Changing users to admins

Stevens
New Contributor

Hi Everyone! Our district just decided to move to MacBooks and iOS devices for teachers and other staff, and we'll be moving on to 1-to-1 later in the year. We've imaged 800 MacBook airs (13 inch, Mid 2013), and at the time my staff agreed that only IT staff would be admins - an entire IT staff that has hardly seen a Mac, much less supported one. As you can imagine, this became an administrative nightmare.

I'd like to make all the teachers local admins (they all have mobile accounts as well), and they're all part of the same AD group. They're all in contact with our DC the entire day, but also need to be local admins on their mobile accounts (away from the DC). I've set up Tom Larkin's script for adding AD users as local admins, but I just can't seem to get it. Can anyone break it down like I'm 5, including policy settings? I'm learning quickly and not a fan of "just show me how to do it", but I'm out of time and could use some help. Is there a way to just add the AD group to the "allow administration by" list in Director Utility?

Thanks to everyone for your help!

5 REPLIES 5

mm2270
Legendary Contributor III

Hi.
While you could add an additional group into the Allow Administration by settings for AD, it won't help you, since you'll have the same issue you do now. As soon as they're no longer in site of your DCs they'll lose local admin rights. Only way is to make them local admins by placing them into the Mac's admin group.

High level, and making some assumptions here, what you'd be looking to do is

1 - Create a policy with a login trigger and Once per Computer execution frequency.
2 - Add your script into the policy. I'm assuming here that the script is capturing the logged in user and adding them into the local admin group. There are at least a half dozen versions of such scripts here so I'm not sure which one you're using.
3 - Add any Macs you need to into the Scope tab. this would be all the teachers Macs if they are part of a JSS group, or just individually, etc.
4 - Under the same scope tab in the "Limit this Policy to the following Users" click the "Assign to Specific User Groups" button and add in the LDAP group the teachers are part of. That will ensure it will only run when someone on that group logs in.

Since I don't know any more specifics, that's about all most of us will be able to tell you at the moment.
Hope that helps.

Stevens
New Contributor

Thanks for the reply, MM. I've got the policy, the trigger, ex frequency, the script added (I'm using Tom Larkin's script from a similar post):

#!/bin/bash

# generate local user account based on UID of greater than 1000, if multiple AD accounts exist this will grab all of them

userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 1000 { print $1 }')

for u in ${userList} ; do

/usr/sbin/dseditgroup -o edit -a ${u} -t user admin

done

exit 0

And the scope is set exactly as you posted.

I do appreciate your help here - I'm quite the n00b when it comes to administrating this many Macs.

mm2270
Legendary Contributor III

Hi again. In Tom's script above, it will grab all AD accounts on the Mac and make them local admins. Is that what you're intending to do, or were you looking to only target one user on each Mac?

If you're OK with the former, then the way you described your setup should be fine. If your Macs typically only have one user account on them then its kind of a moot point anyway.
Just remember to tell your teachers that they need to log out and back in to have the changes take affect since your policy gets triggered at login. Also, unless your JSS is externally facing in some way, they'll need to do the above log out/log in while inside your school network. Doing it from home won't work unless the Mac can connect to your JSS.

andrew_stenehje
Contributor

Here's something that would add them as an admin, only if they belong to an AD group named "Local-Desktop-Admins". You could replace this with the name of your group that all of your staff belong to. This could be in run via Self Service and wouldn't have to be run at login/logout but should work for either.

#!/bin/sh

    user=`ls -l /dev/console | cut -d " " -f 4`

        if id $user |grep -iq Local-Desktop-Admins; then
             /usr/sbin/dseditgroup -o edit -n /Local/Default -a $user -t user admin
             echo Added $user to admin group

            else

            echo $user is not a member of the Local-Desktop-Admins group and cannot be added as an admin
        fi

Stevens
New Contributor

Hi Everyone! Thanks for the response. I found the problem - Looking in the logs, I'm seeing this:

/usr/sbin/jamf is version 8.71
Executing Policy Run Script User Admin...
Mounting smb://xx.xx.xx.xx/CasperShare to /Volumes/CasperShare...
Error running script: The script could not be found..
Unmounting file server...
Running Recon...

So my problem is not whether the script works, it's not even running.