Jamf Nation Community

stevehahn · ‎01-15-2014

I've been asked to ensure that domain admin accounts in our AD domain have local admin access on all AD-bound Macs and also that the domain admins group is in each client's sudoers file. Before I go off and figure this out myself, is there any guidance out there from folks who have already done it?

mm2270 · ‎01-15-2014

Not sure if editing the sudoers file for this would be necessary. You can use dsconfigad to add specific AD groups into the Allow Administration By section of Directory Utility via the command line.

Do man dsconfigad and look for the -groups flag for the lowdown. The syntax is pretty simple.
Of course they will only be admins when the Mac is in range of the domain controllers, but I suspect that's fine.

franton · ‎01-15-2014

We also have to add specific users as admin users. While the link below doesn't specifically deal with domain admins as we segregate domain admin from desktop admins, it should provide a clue to go forward with.

https://github.com/franton/Add-Users-as-Admin-JSS/blob/master/AddUserAsAdmin-JSS.sh

franton · ‎01-15-2014

Granting SSH access to domain users however is far easier. Combine that with a local admin account, and that'll work too.

https://github.com/franton/Set-Authorised-SSH-Users/blob/master/SetAuthSSH.sh

antoinekinch · ‎01-16-2014

Is there a way to run a report to see who has Local User Accounts > Admin: True in Casper 8.7.1 or higher?

corbinmharris · ‎01-16-2014

JAMF support provided me with this script. We're running 9.22

#!/bin/bash

users=dscl . -read /Groups/admin | grep GroupMembership | tr ' ' ' '

echo "<result>$users</result>"

Inventory results show the root user, followed by the local admin then any other users with local admin rights. We use Centrify to bound our Macs to AD.

Screen shot - http://note.io/1eFd1Ve

antoinekinch · ‎01-16-2014

Thank You!

Jamf Nation Community

Granting local admin access to AD domain admins