Posted on 02-06-2015 01:22 PM
This is my first post and I'm new to Casper and binding to AD on OS X, so be gentle.
1. Allow AD users to log in to Mac
2. Allow AD users to elevate to local Administrator privileges when needed
3. Prevent AD users from logging in and running as a local Administrator account
So in the end I want select users who have been given Admin rights to their machine, to be able to elevate to those rights when they need to perform Admin tasks, but to prohibit them from actually logging in and running as that admin user account.
1. How can I do this on a Mac?
2. Is there a way to roll this out to deployed systems with Casper?
I know self service is an option to provide software, but some users need to make other admin changes at various times, so they have been awarded admin rights. We just want to force them to enter credentials any time they want to make an admin level change.
Posted on 02-06-2015 04:18 PM
Not sure there is an easy way to grant what you want. A local admin with a home directory of /var/empty?
Why do you want users to be admins? You can alter what users are allowed to do:
If the above is not suitable, why not a Self Service policy to make them temporary (i.e. 30 minutes) admins? There's a MakeMeAdmin script on this site which is incredibly useful.
Posted on 02-06-2015 05:53 PM
Two possible options are:
Posted on 02-16-2015 09:18 AM
Thanks guys! I'll try out these solutions and let you know how it goes. Appreciate the help.