I've been asked to ensure that domain admin accounts in our AD domain have local admin access on all AD-bound Macs and also that the domain admins group is in each client's sudoers file. Before I go off and figure this out myself, is there any guidance out there from folks who have already done it?
+24Not sure if editing the sudoers file for this would be necessary. You can use dsconfigad to add specific AD groups into the Allow Administration By section of Directory Utility via the command line.
Do man dsconfigad and look for the -groups flag for the lowdown. The syntax is pretty simple.
Of course they will only be admins when the Mac is in range of the domain controllers, but I suspect that's fine.
+23We also have to add specific users as admin users. While the link below doesn't specifically deal with domain admins as we segregate domain admin from desktop admins, it should provide a clue to go forward with.
https://github.com/franton/Add-Users-as-Admin-JSS/blob/master/AddUserAsAdmin-JSS.sh
+23Granting SSH access to domain users however is far easier. Combine that with a local admin account, and that'll work too.
https://github.com/franton/Set-Authorised-SSH-Users/blob/master/SetAuthSSH.sh
+9Is there a way to run a report to see who has Local User Accounts > Admin: True in Casper 8.7.1 or higher?
+11JAMF support provided me with this script. We're running 9.22
#!/bin/bash
users=dscl . -read /Groups/admin | grep GroupMembership | tr ' ' '
'
echo "<result>$users</result>"
Inventory results show the root user, followed by the local admin then any other users with local admin rights. We use Centrify to bound our Macs to AD.
Screen shot - http://note.io/1eFd1Ve
+9Thank You!
Reply
Most helpful members this week
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.