Jamf Nation Community

I was looking for a graceful solution to add non-admin users to lpadmin so they can setup printers. In researching this on JAMF Nation, I also found this to be related to editing etc/authorization to allow non-admin users to edit certain admin only system prefs.

These two JAMF Nation threads, and this mattsmacblog and macmule post are what got me thinking about this solution.
https://jamfnation.jamfsoftware.com/discussion.html?id=4789
https://jamfnation.jamfsoftware.com/discussion.html?id=922
http://mattsmacblog.wordpress.com/2012/01/05/making-use-of-the-etcauthorization-file-in-lion-10-7-x/
http://macmule.com/2011/07/27/how-to-allow-all-users-to-add-or-remove-printers/

Sometimes you just want to give your non-admin users a little more power.
Maybe the ability to create a printer. (Yes, you can setup printers in Casper, but what about a user's home printer?)
Or maybe you would like to give them the ability to change the Energy Saver prefs, or the time zone.

In this script I use the Casper Parameters 4 - 9 to enable or disable all the options. (yes or no)
By entering "yes" in the script variables you could use this script with Casper to give a non-admin user access to Energy Saver, Printers, Network, Date & Time, and Time Machine.
You could use this script to turn it all off again, by entering "no" in the variables. Any combination of yes or no lets you choose how you want to set it up.
You don't have to edit the script, just specify the variables when setting up the policy.

#!/bin/sh
####################################################################################################
#
# NAME
#   ConfigPowerUsers.sh
#
# DESCRIPTION
#   This script is intended to create non-admin "Power Users". 
#      There are some locked Systems Preferences that non-admin users may need to access. 
#   This may be System Preferences like Energy Saver, Network, Date & Time, or Time Machine.
#   The ability for non-admins to be able to add Printers is also a frequent request.
#   This can be accomplished by adding users or groups to the lpadmin group.
#   The inspiration for the script came from MattsMacBlog
#   http://mattsmacblog.wordpress.com/2012/01/05/making-use-of-the-etcauthorization-file-in-lion-10-7-x/ 
#
# SYNOPSIS
#   sudo ConfigPowerUsers.sh
#   sudo ConfigPowerUsers.sh <mountPoint> <computerName> <currentUsername> 
#   <NetaccountsToLpadmin> <LocalaccountsToLpadmin> <AllowEnergysaverPrefs> <AllowNetworkPrefs> <AllowDatetimePrefs> <AllowTimemachinePrefs>
#   
#   Parameter 1, 2, and 3 will not be used in this script, but since they are passed by
#   The Casper Suite, we will start using parameters at parameter 4.
#   If no parameter is specified for parameters 4 - 9, the hardcoded value in the script
#   will be used.  If values are hardcoded in the script for the parameters, then they will override
#   any parameters that are passed by The Casper Suite.
#
#   Parameters $4 - $9 should be set to the following values.       
#       "TRUE"
#       "YES"
#       "FALSE"
#       "NO"
#   If no value is set "FALSE" or NO" is assumed.
#
#
####################################################################################################
#
# HISTORY
#
#   Version: 1.0
#
#   - Updated by Eric Benfer on March 30th, 2013
# 
####################################################################################################
#
### Ensure we are running this script as root ###
rootcheck () {
if [ "`/usr/bin/whoami`" != "root" ] ; then
  /bin/echo "This script must be run as root or sudo."
  exit 0
fi
}
#
rootcheck
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################

# Casper Environmental Positional Variables.
# $1 Mount Point
# $2 Computer Name
# $3 Current User Name
# Declare the Enviromental Positional Variables so the can be used in function calls.
mountPoint=$1
computerName=$2
currentUsername=$3

OS=`/usr/bin/sw_vers -productVersion | /usr/bin/colrm 5`

#Parameter 4 Lable: NetaccountsToLpadmin
#Parameter 5 Lable: LocalaccountsToLpadmin
#Parameter 6 Lable: AllowEnergysaverPrefs
#Parameter 7 Lable: AllowNetworkPrefs
#Parameter 8 Lable: AllowDatetimePrefs
#Parameter 9 Lable: AllowTimemachinePrefs

# HARDCODED VALUES SET HERE - There is no need to edit this if you are going to use this script
# via a Casper JSS policy. Just specify "yes" or "no" in the policy parameters.

NetaccountsToLpadmin=""       # Add the group netaccounts to the lpadmin group? yes/no
LocalaccountsToLpadmin="" # Add the group localaccounts to the lpadmin group? yes/no
AllowEnergysaverPrefs=""  # Unlock the Energy Saver preference pane for the group lpadmin? yes/no
AllowNetworkPrefs=""      # Unlock the Network preference pane for the group lpadmin? yes/no
AllowDatetimePrefs=""     # Unlock the Date and Time preference pane for the group lpadmin? yes/no
AllowTimemachinePrefs=""  # Unlock the Time Machine preference pane for the group lpadmin? yes/no

# CHECK TO SEE IF A VALUE WERE PASSED IN FOR PARAMETERS $4 THROUGH $9 AND, IF SO, ASSIGN THEM
if [ "$4" != "" ] && [ "$NetaccountsToLpadmin" == "" ]; then
    NetaccountsToLpadmin=$4
fi

if [ "$5" != "" ] && [ "$LocalaccountsToLpadmin" == "" ]; then
    LocalaccountsToLpadmin=$5
fi

if [ "$6" != "" ] && [ "$AllowEnergysaverPrefs" == "" ]; then
    AllowEnergysaverPrefs=$6
fi

if [ "$7" != "" ] && [ "$AllowNetworkPrefs" == "" ]; then
    AllowNetworkPrefs=$7
fi

if [ "$8" != "" ] && [ "$AllowDatetimePrefs" == "" ]; then
    AllowDatetimePrefs=$8
fi

if [ "$9" != "" ] && [ "$AllowTimemachinePrefs" == "" ]; then
    AllowTimemachinePrefs=$9
fi

AllPrefs="$AllowEnergysaverPrefs $AllowNetworkPrefs $AllowDatetimePrefs $AllowTimemachinePrefs"

/bin/echo This computer is running is OS X "$OS"
/bin/echo variable mountPoint is "$mountPoint"
/bin/echo variable computerName is "$computerName"
/bin/echo variable username is "$username"
/bin/echo variable NetaccountsToLpadmin is "$NetaccountsToLpadmin"
/bin/echo variable LocalaccountsToLpadmin is "$LocalaccountsToLpadmin"
/bin/echo variable AllowEnergysaverPrefs is "$AllowEnergysaverPrefs"
/bin/echo variable AllowNetworkPrefs is "$AllowNetworkPrefs"
/bin/echo variable AllowDatetimePrefs is "$AllowDatetimePrefs"
/bin/echo variable AllowTimemachinePrefs is "$AllowTimemachinePrefs"
/bin/echo variable AllPrefs is "$AllPrefs"

####################################################################################################
# 
# SCRIPT CONTENTS
#
####################################################################################################

# Configure the lpadmin group
# Add specific groups to the lpadmin "Print Administrators" group. Members of lpadmin can add printers in OS X.
# The lpadmin group may also be given "Power User" privileges later in this script.

# NetaccountsToLpadmin  
case $NetaccountsToLpadmin in "true" | "TRUE" | "yes" | "YES")
        /bin/echo "Adding the group netaccounts to the lpadmin group"
        /usr/sbin/dseditgroup -o edit -n /Local/Default -a "netaccounts" -t group lpadmin;;
    *)
        /bin/echo "Removing the group netaccounts from the lpadmin group" #Use this to undo the above command.
        /usr/sbin/dseditgroup -o edit -n /Local/Default -d "netaccounts" -t group lpadmin;;
esac

# localaccounts
case $LocalaccountsToLpadmin in "true" | "TRUE" | "yes" | "YES")
        /bin/echo "Adding the group localaccounts to the lpadmin group"
        /usr/sbin/dseditgroup -o edit -n /Local/Default -a "localaccounts" -t group lpadmin;;
    *)
        /bin/echo "Removing the group localaccounts from the lpadmin group" #Use this to undo the above command.
        /usr/sbin/dseditgroup -o edit -n /Local/Default -d "localaccounts" -t group lpadmin;;
esac

# Configure the /etc/authorization file give members of the lpadming group access to specified System Preferences.
# This is a way to make "Power Users" without giving full admin rights.

# Copy the authorization file to a temporary location & make it a plist
/bin/cp -pr /etc/authorization /private/tmp/authorization.plist

# AllowEnergysaverPrefs
case $AllowEnergysaverPrefs in "true" | "TRUE" | "yes" | "YES")
        /bin/echo "Unlocking the Energy Saver preference pane for the group"
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.energysaver:group lpadmin' /private/tmp/authorization.plist;;
    *)
        /bin/echo "Locking the Energy Saver preference pane to the group" #Use this to undo the above command.
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.energysaver:group admin' /private/tmp/authorization.plist;;
esac
        # Double Check the group setting.
        /usr/libexec/PlistBuddy -c 'Print :rights:system.preferences.energysaver:group' /private/tmp/authorization.plist

# AllowNetworkPrefs
case $AllowNetworkPrefs in "true" | "TRUE" | "yes" | "YES")
        /bin/echo "Unlocking the Network preference pane for the group"
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group lpadmin' /private/tmp/authorization.plist;;
    *)
        /bin/echo "Locking the Network preference pane to the group" #Use this to undo the above command.
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group admin' /private/tmp/authorization.plist;;
esac
        # Double Check the group setting.
        /usr/libexec/PlistBuddy -c 'Print :rights:system.preferences.network:group' /private/tmp/authorization.plist

# AllowDatetimePrefs
case $AllowDatetimePrefs in "true" | "TRUE" | "yes" | "YES")
        /bin/echo "Unlocking the Date and Time preference pane for the group"
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.datetime:group lpadmin' /private/tmp/authorization.plist;;
    *)
        /bin/echo "Locking the Date and Time preference pane to the group" #Use this to undo the above command.
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.datetime:group admin' /private/tmp/authorization.plist;;
esac
        # Double Check the group setting.
        /usr/libexec/PlistBuddy -c 'Print :rights:system.preferences.datetime:group' /private/tmp/authorization.plist

# AllowTimemachinePrefs
case $AllowTimemachinePrefs in "true" | "TRUE" | "yes" | "YES")
        /bin/echo "Unlocking the Time Machine preference pane for the group"
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.timemachine:group lpadmin' /private/tmp/authorization.plist;;
    *)
        /bin/echo "Locking the Time Machine preference pane to the group" #Use this to undo the above command.
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.timemachine:group admin' /private/tmp/authorization.plist;;
esac
        # Double Check the group setting.
        /usr/libexec/PlistBuddy -c 'Print :rights:system.preferences.timemachine:group' /private/tmp/authorization.plist

# AllowSystemPrefs
case $AllPrefs in *"true"* | *"TRUE"* | *"yes"* | *"YES"*)
        /bin/echo "This is automatically set if you unlock any of the System prefs."
        /bin/echo "Unlocking System Preferences for the group" 
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences:group lpadmin' /private/tmp/authorization.plist;;
    *)
        /bin/echo "Locking the System Preferences to the group" #Use this to undo the above command.
        /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences:group admin' /private/tmp/authorization.plist;;
esac
        # Double Check the group setting.
        /usr/libexec/PlistBuddy -c 'Print :rights:system.preferences:group' /private/tmp/authorization.plist

# Move file back to original location
/bin/mv /private/tmp/authorization.plist /etc/authorization

exit 0