MacBook Admin user account

Elior
New Contributor

1. When a user is part of the admins' group, it will affect all MBs? meaning, an admin user will be able to log in and do anything he likes on all other MBs?
 
2. Is it possible to limit an admin user even though he is an admin?
2 REPLIES 2

dlondon
Valued Contributor

The group "admin" is a local group.  That is, local to a specific machine.  The way computers usually make use of shared groups is by binding to a directory which in many cases is Microsoft Active Directory.  In that case you might see groups like DomainName\Admistrators or DomainName\DesktopAdmins with admin rights across machines but you have to do things to set that up in the binding or afterwards.

Yes you can limit admin access.  The sudoers file comes to mind.  You can also use lots of features in Jamf. 

It would help answer your question if you listed the things you are tryin

AJPinto
Esteemed Contributor

All accounts on macOS are local and any permissions are local to that specific device. However, there are caveats depending on how your environment is configured. 

  • If you are using Platform SSO, macOS 14 can be configured to respect AAD groupings and automatically add users to specific local Mac Groups.
  • If you are AD binding a Mac, that opens up AD group membership depending on how you have it configured. If you are still AD binding, look in to getting away from that.
  • If you are using JAMF Connect, it can automatically add users to the admin group based on IDP configuration.

 

What exactly are you seeing, that you are trying to prevent? This rabbit hole can get pretty deep.