Local Admins based on AD group

New Contributor

Trying to use an Active Directory group where I work to grant all members Administrative privileges over their Macs, using their LAN name and password. So, I can spot the AD group, and so can Casper, but do I need a script at this point? A particular policy? I'm trying to automate the process so that our build and deploy teams don't have to go back to each computer and assign Admin privileges to each user, as they log into any given Mac assigned to that group.

So, we know the Active Directory group name, as well as the Mac names assigned to said group. Any suggestions?


Legendary Contributor III

You can do this in the binding configuration, by adding the group into the Administrative tab. Check the box labeled "Allow administration by:" and add the name of the AD group in the corresponding field. If you want, you could create a special binding configuration in Casper that gets used only for the Macs going to those users and leave the default settings for all other Macs. In that way, they should only have admin rights on any Mac using that bind configuration. Or you could just apply it to all Macs.

On big caveat with this is that those settings only apply when a Mac is in contact with your domain controller. If you have laptop users and they disconnect from the network, they will lose those admin rights. To give them permanent admin privs, you'd need to script it to add their accounts into the local admin group on the Mac. I'm not sure if there's any other method to achieve that, assuming you want to do that.


I have a script I got from Tom Larkin that will cache the credentials of the logged in user and make them an admin. We run it through Self Service.

Contributor II

@Mike_Meyers can you post the script for us?