- Jamf Nation Community
- Products
- Jamf Pro
- Macs (10.6.x) + AD + Group = AutoAdmin?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Macs (10.6.x) + AD + Group = AutoAdmin?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 07:42 AM
Is it possible for the Mac's (bound to AD, using native binding on
10.6.x) to see that a user is in a particular group, and grant admin
based on that?
John Wojda
Lead System Engineer, DEI
3333 Beverly Rd. B2-338B
Hoffman Estates, IL 60179
Phone: (847)286-7855
Page: (224)532.3447
Team Lead: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>
Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 07:46 AM
In the AD plugin you can grant admin priv to members of AD groups. We do this for our support desk people.
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 07:47 AM
It is possible, but we've seen flaky results here. Might be our
environment, but every once in awhile I'll login and not be granted
admin on my machine (despite previously opening the Accounts window and
making myself an admin on the machine)
Bob
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 07:48 AM
If you lose sight of the DC you won't retain the admin rights. Our solution has been to hard-code particular AD users into the admin group.
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 07:50 AM
Anything is possible. I don't have AD, but if you log in with AD
credentials, does it store AD group information anywhere? If so, can
you give me examples?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 07:55 AM
My boss is part of the Admin group, and I checked through the AD plugin
- it does have Allow Administration by: domainadmin
Is it case sensitive? I don't believe the case matches what's on the AD
server...
John Wojda
Lead System Engineer, DEI
3333 Beverly Rd. B2-338B
Hoffman Estates, IL 60179
Phone: (847)286-7855
Page: (224)532.3447
Team Lead: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>
Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 08:00 AM
It is not case sensitive (or at least ours isn't)
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 08:15 AM
So we have different labs that have different groups of people with admin rights to their boxes only.
So we add our main group with admin everywhere, and then I have scripts that run that add their group At Reboot for their configuration they've imaged with in the lab.
#!/bin/sh
######################################################
## This script will add the following group later to AD bindings.
## Created Wednesday, January 9, 2008 - ERNSTCS
######################################################
sleep 90
/usr/sbin/dsconfigad -groups "LAB.ED.ADMINS,LAB.ADMINS,LAB.MAC.HSNG.ADMINS,LAB.HSNG.ADMINS"
Works in 10.5 and 10.6
Now, you can't just add a single group with the command and have it append, you actually have to add each group at one time again. I put a sleep in there just to make sure everything else with AD settled down after the imaging reboot. There were issues before with older systems being just slow. Likely not the case anymore.
As for the admin rights going away here's the deal from my understanding:
If you add a group here in the AD plug-in, those users will only have admin when it can see AD, when it can not see AD admin is unavailable to them even if you check the box while they are logged in. Not sure why it works that way, but that's my experience.
This is different from having a non-admin AD user login and then checking their box for admin, that will stick.
Craig E
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 08:55 AM
Hence why I have a policy scoped to the AD groups that need to be local admins that adds that user to the local admin group:
dscl . -append /Groups/admin GroupMembership $3
--
David Kucmierz
Mesquite ISD Technical Services
972.882.5506
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-24-2011 09:30 AM
A few caveats that Jared and I have come across in our experience with
coding AD-based users as admins in the local admin group using dscl:
- User names are case sensitive. In our environment, they need to be all
lower-case in order to match the AD-based users.
- You can add the same user name multiple times as duplicates. This
doesn't seem to affect the operation, but all instances have to be removed
in order to revoke admin rights.
Here are the scripts we use:
Make User Admin - this will convert all characters to lower case, check
for duplicate entries, and is designed for use with Casper Remote and
Casper Imaging (run at reboot).
#!/bin/sh
#Check if run as root
ROOT_UID="0"
if [ "$UID" -ne "$ROOT_UID" ] ; then
echo "Please run this script as root or with sudo rights!"
exit 1
fi
#Put into an array all users from input and normalize to all lower-case.
Users[0]="$(echo ${4} | tr 'A-Z' 'a-z')"
Users[1]="$(echo ${5} | tr 'A-Z' 'a-z')"
Users[2]="$(echo ${6} | tr 'A-Z' 'a-z')"
Users[3]="$(echo ${7} | tr 'A-Z' 'a-z')"
Users[4]="$(echo ${8} | tr 'A-Z' 'a-z')"
Users[5]="$(echo ${9} | tr 'A-Z' 'a-z')"
Users[6]="$(echo ${10} | tr 'A-Z' 'a-z')"
Users[7]="$(echo ${11} | tr 'A-Z' 'a-z')"
#Assign to an array the current Admins on the box. We'll need this for
comparisson.
Admins=(dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2)
#Let's get to work
AdminsTmp=(${Admins[@]})
AdminsToAdd=(${Users[@]})
for (( j=0 ; j<${#AdminsTmp[@]} ; j++ ))
do
for (( i=0 ; i<${#AdminsToAdd[@]} ; i++ ))
do
if [[ "${AdminsToAdd[$i]}" == "${AdminsTmp[$j]}" ]]
then
unset AdminsToAdd[$i]
let "i--"
fi
done
done
if [[ ${AdminsToAdd[@]} != "" ]]
then
dscl . -append /Groups/admin GroupMembership ${AdminsToAdd[@]}
else
echo "Nothing to add to Admin group. The user(s) you're trying to add may
already be there."
Fi
-------
List Admins - Designed for use with Casper Remote; view the log file to
get the results (hence the echo formatting).
#!/bin/bash
echo
echo ""
echo "Members of the local admin group:"
echo `dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2`
echo ""
echo "Active Directory users/groups with admin access:"
echo `dsconfigad -show | grep "Allowed admin groups" | cut -d "=" -f 2`
echo "*"
exit 0
-------
Remove Admin Rights - the reverse of the Make User Admin script. Accounts
for duplicate entries. Also designed for use with Casper Remote.
#!/bin/sh
# Check if run as root
ROOT_UID="0"
if [ $UID -ne "$ROOT_UID" ] ; then
echo "Please run this script as root or with sudo rights!"
exit 1
fi
# Put into an array all users from input and normalize to all lower case.
Users[0]="$(echo ${4} | tr 'A-Z' 'a-z')"
Users[1]="$(echo ${5} | tr 'A-Z' 'a-z')"
Users[2]="$(echo ${6} | tr 'A-Z' 'a-z')"
Users[3]="$(echo ${7} | tr 'A-Z' 'a-z')"
Users[4]="$(echo ${8} | tr 'A-Z' 'a-z')"
Users[5]="$(echo ${9} | tr 'A-Z' 'a-z')"
Users[6]="$(echo ${10} | tr 'A-Z' 'a-z')"
Users[7]="$(echo ${11} | tr 'A-Z' 'a-z')"
# Assign to an arry the current members of the admin group.
# We'll need this to compare to, in case of duplicates.
Admins=(dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2)
# Set our arrays as variables.
AdminsTmp=(${Admins[@]})
AdminsToRemove=(${Users[@]})
# Comparison loop to remove user names that match.
for (( j=0 ; j <${#AdminsToRemove[@]} ; j++ ))
do
for (( i=0 ; i <${#AdminsTmp[@]} ; i++ ))
do
if [[ "${AdminsToRemove[$j]}" == "${AdminsTmp[$i]}" ]]
then
dscl . -delete /Groups/admin GroupMembership ${AdminsToRemove[$j]}
let "i++"
fi
done
done
echo "Removal complete."
echo "*** The remaining admins are: `dscl . -read /Groups/admin
GroupMembership | cut -d ":" -f 2`"
exit 0
-------
If you find them useful, enjoy! :-)
-Charlie
-------------------------------------
Charlie Smith
Desktop Engineer
Information Services Department (ISD)
MIT Lincoln Laboratory
244 Wood St. Lexington, MA 02420
Phone: 781.981.0854
E-mail: charlie.smith at ll.mit.edu
-------------------------------------
