Macs (10.6.x) + AD + Group = AutoAdmin?

ImAMacGuy
Valued Contributor II

Is it possible for the Mac's (bound to AD, using native binding on
10.6.x) to see that a user is in a particular group, and grant admin
based on that?

John Wojda

Lead System Engineer, DEI

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

9 REPLIES 9

jarednichols
Honored Contributor

In the AD plugin you can grant admin priv to members of AD groups. We do this for our support desk people.
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Not applicable

It is possible, but we've seen flaky results here. Might be our
environment, but every once in awhile I'll login and not be granted
admin on my machine (despite previously opening the Accounts window and
making myself an admin on the machine)

Bob

jarednichols
Honored Contributor

If you lose sight of the DC you won't retain the admin rights. Our solution has been to hard-code particular AD users into the admin group.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

tlarkin
Honored Contributor

Anything is possible. I don't have AD, but if you log in with AD
credentials, does it store AD group information anywhere? If so, can
you give me examples?

ImAMacGuy
Valued Contributor II

My boss is part of the Admin group, and I checked through the AD plugin
- it does have Allow Administration by: domainadmin

Is it case sensitive? I don't believe the case matches what's on the AD
server...

John Wojda

Lead System Engineer, DEI

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

jarednichols
Honored Contributor

It is not case sensitive (or at least ours isn't)

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

ernstcs
Contributor III

So we have different labs that have different groups of people with admin rights to their boxes only.

So we add our main group with admin everywhere, and then I have scripts that run that add their group At Reboot for their configuration they've imaged with in the lab.

#!/bin/sh

######################################################
## This script will add the following group later to AD bindings.
## Created Wednesday, January 9, 2008 - ERNSTCS
######################################################

sleep 90

/usr/sbin/dsconfigad -groups "LAB.ED.ADMINS,LAB.ADMINS,LAB.MAC.HSNG.ADMINS,LAB.HSNG.ADMINS"

Works in 10.5 and 10.6

Now, you can't just add a single group with the command and have it append, you actually have to add each group at one time again. I put a sleep in there just to make sure everything else with AD settled down after the imaging reboot. There were issues before with older systems being just slow. Likely not the case anymore.

As for the admin rights going away here's the deal from my understanding:

If you add a group here in the AD plug-in, those users will only have admin when it can see AD, when it can not see AD admin is unavailable to them even if you check the box while they are logged in. Not sure why it works that way, but that's my experience.

This is different from having a non-admin AD user login and then checking their box for admin, that will stick.

Craig E

dkucmierz
Contributor

Hence why I have a policy scoped to the AD groups that need to be local admins that adds that user to the local admin group:

dscl . -append /Groups/admin GroupMembership $3

--

David Kucmierz
Mesquite ISD Technical Services
972.882.5506

Not applicable

A few caveats that Jared and I have come across in our experience with
coding AD-based users as admins in the local admin group using dscl:
- User names are case sensitive. In our environment, they need to be all
lower-case in order to match the AD-based users.
- You can add the same user name multiple times as duplicates. This
doesn't seem to affect the operation, but all instances have to be removed
in order to revoke admin rights.

Here are the scripts we use:

Make User Admin - this will convert all characters to lower case, check
for duplicate entries, and is designed for use with Casper Remote and
Casper Imaging (run at reboot).

#!/bin/sh

#Check if run as root
ROOT_UID="0"
if [ "$UID" -ne "$ROOT_UID" ] ; then echo "Please run this script as root or with sudo rights!" exit 1
fi

#Put into an array all users from input and normalize to all lower-case.
Users[0]="$(echo ${4} | tr 'A-Z' 'a-z')"
Users[1]="$(echo ${5} | tr 'A-Z' 'a-z')"
Users[2]="$(echo ${6} | tr 'A-Z' 'a-z')"
Users[3]="$(echo ${7} | tr 'A-Z' 'a-z')"
Users[4]="$(echo ${8} | tr 'A-Z' 'a-z')"
Users[5]="$(echo ${9} | tr 'A-Z' 'a-z')"
Users[6]="$(echo ${10} | tr 'A-Z' 'a-z')"
Users[7]="$(echo ${11} | tr 'A-Z' 'a-z')"

#Assign to an array the current Admins on the box. We'll need this for
comparisson.
Admins=(dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2)

#Let's get to work
AdminsTmp=(${Admins[@]})
AdminsToAdd=(${Users[@]})

for (( j=0 ; j<${#AdminsTmp[@]} ; j++ ))
do for (( i=0 ; i<${#AdminsToAdd[@]} ; i++ )) do if [[ "${AdminsToAdd[$i]}" == "${AdminsTmp[$j]}" ]] then unset AdminsToAdd[$i] let "i--" fi done
done

if [[ ${AdminsToAdd[@]} != "" ]]
then dscl . -append /Groups/admin GroupMembership ${AdminsToAdd[@]}

else echo "Nothing to add to Admin group. The user(s) you're trying to add may
already be there."
Fi

-------

List Admins - Designed for use with Casper Remote; view the log file to
get the results (hence the echo formatting).

#!/bin/bash

echo
echo ""
echo "Members of the local admin group:"
echo `dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2`
echo "
"
echo "Active Directory users/groups with admin access:"
echo `dsconfigad -show | grep "Allowed admin groups" | cut -d "=" -f 2`
echo "
*"

exit 0

-------

Remove Admin Rights - the reverse of the Make User Admin script. Accounts
for duplicate entries. Also designed for use with Casper Remote.

#!/bin/sh

# Check if run as root
ROOT_UID="0"
if [ $UID -ne "$ROOT_UID" ] ; then echo "Please run this script as root or with sudo rights!" exit 1
fi

# Put into an array all users from input and normalize to all lower case.
Users[0]="$(echo ${4} | tr 'A-Z' 'a-z')"
Users[1]="$(echo ${5} | tr 'A-Z' 'a-z')"
Users[2]="$(echo ${6} | tr 'A-Z' 'a-z')"
Users[3]="$(echo ${7} | tr 'A-Z' 'a-z')"
Users[4]="$(echo ${8} | tr 'A-Z' 'a-z')"
Users[5]="$(echo ${9} | tr 'A-Z' 'a-z')"
Users[6]="$(echo ${10} | tr 'A-Z' 'a-z')"
Users[7]="$(echo ${11} | tr 'A-Z' 'a-z')"

# Assign to an arry the current members of the admin group.
# We'll need this to compare to, in case of duplicates.
Admins=(dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2)

# Set our arrays as variables.
AdminsTmp=(${Admins[@]})
AdminsToRemove=(${Users[@]})

# Comparison loop to remove user names that match.
for (( j=0 ; j <${#AdminsToRemove[@]} ; j++ ))
do for (( i=0 ; i <${#AdminsTmp[@]} ; i++ )) do if [[ "${AdminsToRemove[$j]}" == "${AdminsTmp[$i]}" ]] then dscl . -delete /Groups/admin GroupMembership ${AdminsToRemove[$j]} let "i++" fi done
done

echo "Removal complete."
echo "*** The remaining admins are: `dscl . -read /Groups/admin
GroupMembership | cut -d ":" -f 2`"
exit 0

-------

If you find them useful, enjoy! :-)

-Charlie

-------------------------------------
Charlie Smith
Desktop Engineer
Information Services Department (ISD)
MIT Lincoln Laboratory
244 Wood St. Lexington, MA 02420
Phone: 781.981.0854
E-mail: charlie.smith at ll.mit.edu
-------------------------------------