Jamf Nation Community

ifbell · ‎05-26-2015

Okay I am trying to allow a local user who is a standard user to add printers and make network changes. To allow them to add printers from the system preferences pane in Yosemite.
I can run the following command

/usr/sbin/dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

And I get no errors back but when I do a /usr/sbin/dseditgroup -o read _lpadmin I only see my admin account under GroupMembership. If I log in as the local standard user and go to system preferences sure enough the lock is in place. Also if I do a /usr/sbin/dseditgroup -o checkmember -u username -n . lpadmin I am told username is a member.

Also I am trying to find the right group to turn off the network lock. I have just used network for the group and I get back no errors, when I do a read though I get back no GroupMembership as the last field. I am under the assumption that this is not the group name I want or need.

brandonusher · ‎05-26-2015

You're missing the sudo.

sudo dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin

rcastorani · ‎09-21-2015

Jumping in on this thread - I've tried running the command from @brandonusher but the only username listed under GroupMembership is "admin" which is a local admin account. The Active Directory user is still not listed so when I go to run an lpadmin command it comes up as "lpadmin: Forbidden".

Any ideas??

brandonusher · ‎09-21-2015

Maybe this thread can help you out? https://jamfnation.jamfsoftware.com/discussion.html?id=8048

johnmcnair · ‎05-25-2016

@rcastorani wrote:

Jumping in on this thread - I've tried running the command from @brandonusher but the only username listed under GroupMembership is "admin" which is a local admin account. The Active Directory user is still not listed so when I go to run an lpadmin command it comes up as "lpadmin: Forbidden".

We are having the same problem, this command appears to only add local users to the _lpadmin group:

sudo dseditgroup -o edit -n /Local/Default -a everyone -t group _lpadmin

@brandonusher is using lpadmin instead of _lpadmin. Which one is right?

When we target _lpadmin group, and review membership we confirm the local admin account is added, and none of the AD accounts are added:

$ dscl . -read /Groups/_lpadmin GroupMembership
GroupMembership: ouradminaccount

We need to add all local and AD users to _lpadmin (assuming lpadmin was a typo).

Anyone have the right command to do this? Does syntax change between the OS versions?

stevewood · ‎05-25-2016

@johnmcnair I use the following script, triggered to run at login via policy, to add users to the lpadmin group. These are AD users that are mobile accounts.

#!/bin/sh
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
dseditgroup -o edit -a $loggedInUser -t user _lpadmin

It works every time to add the user to the lpadmin group.

johnmcnair · ‎05-25-2016

@stevewood

Thank you, we will try this out.

franton · ‎05-26-2016

Curtesy of @macmule ...

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

This is a far more reliable method of getting the current user. As detailed in his blog post, the ls console route returns false results with fast user switching enabled.

See the mule's post here

Jamf Nation Community

dseditgroup and local user non admin