Making a single AD user into a local admin

curiousgene
New Contributor

I'm trying to figure out the best way to make one AD user per system into a local admin. The idea is that the user to whom the system is assigned should be a local admin, but we don't want to extend admin rights to all domain users. I thought it might be useful to create an Extension Attribute for each systems, manually populated, that's the shortname of the user it's assigned to. Then I could pass that to a script that uses dscl and dseditgroup to make sure that user is in the admin group, and other domain users aren't.

It doesn't look like I can pass Extension Attributes as parameters, though, which leaves me wondering about the best way to do this.

9 REPLIES 9

donmontalvo
Esteemed Contributor II

NM...misread post...sorry

--
https://donmontalvo.com

rmanly
Contributor III

To solve this problem I made a little Automator app with two actions.

  1. Ask for Text
    What NETWORK ACCOUNT should I promote to administrator?
    Checked Require an answer

  2. Run Shell Script
    dseditgroup -o edit -n /Local/Default -u admin_dist -P "yourpasshere" -a $1 -t user admin

Then I packaged that up and put it on the Desktop of the Local Admin.

After imaging the tech will login and run it. We can do this right away as our naming convention includes a portion of the staff member's name. But it could also be done at checkout/pick-up.

I haven't thought of GOOD way to automate this further for various reasons.

EDIT: now that we have figured out how to get Applescript to pop open windows from Self Service I could go back and make it work from there I suppose...

frozenarse
Contributor II

Check out the script at the bottom of this post: https://jamfnation.jamfsoftware.com/discussion.html?id=2337

That's currently what i'm playing with. I include that script in a Configuration that is used to re-image machines. You add the username you want to be admin in parameter 4 and it adds it in at reboot.

For anything Post-Image, I have a script (I believe modified from the one mentioned above) that will Add an acct entered in Parameter 4 and Remove an acct if you enter it in Parameter 5.

rickgmac
Contributor
Contributor

this is a script that was posted by Tomas Tyler in the old mailing list. I have used this at many sites to make the first domain user who logs on to the machine a admin only. Works on lion and Snow leopard

#!/bin/bash
# v 3.2
###################################################
# Tomos Tyler
# 2011 Red Wine Ink.
# No Warranty or acceptance of responsibility if used
# 
# Can be used and distributed as long as these notes remain
#
################# Description #####################
#
# Some sites require a user to be an admin.
# However when using Windows Active Directory to authenticate
# using the Ad Plugin to set administration priviliges
# only gives a user admin rights while onsite.
# The following script adds a user to the administration group.
#
# Be Careful with this, if an admin user is removed from a computer
# a stub is left in the admin group referring to a user who does
# not exist. This will have to be fixed manually via dscl
#
#################### Notes ########################
#
# ${3}: The user's short name, when used with Casper
#
# If you have multiple Admin Users on your computer
# ensure you alter these below
# 
# Designed to be used by Casper as a login policy
###################################################
unset IFS
SAVEDIFS=$IFS
IFS=$' '
if [ -z ${3} ]; then
exit
else

    # Populate an array with the users in the current admin group

    adminGroup=( `dscl -f "/var/db/dslocal/nodes/Default" localonly -read /Local/Target/Groups/admin GroupMembership | awk -F ": " '{print $NF}'` )
   ADUserFound="0"

    # Cycle through the users and check their UniqueID

   for i in ${adminGroup[@]}; do
        #echo ${i}
        if [ ${i} = ${3} ]; then 
            echo "User ${3} is already an admin..."
            ADUserFound="1"
        fi
   done

   # Alter the following to the users to be excluded from processing

    if [ ${ADUserFound} = "0" ]; then
        if [ ${3} == "root" ]; then exit; fi
        if [ ${3} == "ladmin" ]; then exit; fi
        if [ ${3} == "cadmin" ]; then exit; fi
        if [ ${3} == "_cadmin" ]; then exit; fi
        if [ ${3} == "adobeinstall" ]; then exit; fi
    else
        echo "User ${3} is already an Admin or should not be processed."
        exit
    fi

 echo "User ${3} is not an admin proceeding..."

    for RecordName in "${adminGroup[@]}" ; do
        if [ ${ADUserFound} -eq "1" ]; then
            exit
        else
            IFS=": "
           UniqueID=( `dscl -f "/var/db/dslocal/nodes/Default" localonly -read /Local/Target/Users/${RecordName} UniqueID | awk '{print $2}'` )

# Simply exit the script if there is a UniqueID greater than 9999, this should be an AD user, hence a user has had admin rights granted

           if [[ ${UniqueID} -gt 9999 ]] ; then
               ADUserFound="1"
               echo "An AD User is already in the Admin Group!"
              exit
           fi
        fi
    done

    # If we get to this stage we can just simply add the user currently logging in, to the admin group
   dscl -f "/var/db/dslocal/nodes/Default" localonly -append /Local/Target/Groups/admin GroupMembership ${3}
    echo "Just added the user ${3} to the Admin Group"

    #
    # An option to call another process or login item for further configurations via launchD or more login hooks
    # touch /Users/${3}/Documents/Microsoft User Data/.SetupISBMail
fi
exit 0

deezkidz
New Contributor

Awesome Script, however I am having issues implementation it? Do I put this script in the image process or policies?

dmcintos
New Contributor

We just add the assigned user to the Managed By tab of the workstation object. This makes them admin of their machine only.

deezkidz
New Contributor

Where might that object be? Is it under management, settings or inventory?

dmcintos
New Contributor

Sorry,
That would be in AD in the Workstation container. Our technicians have read/write permissions to certain WS containers for staff machines. The other benefit is I know who the machine belongs to when I"m looking at the object for whatever reason.

bcourtade
New Contributor III

What I'm doing is creating a policy that is scoped to the assigned user and is available in Self Service. That way they can do it once on the network and once at home under their mobile account if they need admin rights.

This is the script in the policy, I got most of it from another thread a while back:

#!/bin/bash

loggedInUser=$( ls -l /dev/console | awk '{ print $3 }' )
evaluate=$( /usr/sbin/dseditgroup -o checkmember -m $loggedInUser admin )

echo $evaluate

case $evaluate in
    *yes* ) echo User is already an admin on this mac;;
    *no* ) /usr/sbin/dseditgroup -o edit -a $loggedInUser -t user admin;;
    * ) echo Something went wrong;;
esac