Sorta OT: /etc/authorization shenanigans

jarednichols
Honored Contributor

So, I'm trying to do some /etc/authorization shenanigans that I can't get sorted. Spent like 3 hours on this last night.

Our Macs are bound to our Active Directory, users are setup as a mobile account. They will NOT have admin rights (woooo hooo). The problem is, many of them travel. So, changing things like date and time and timezone are things they're locked out of as they're not admins.

In comes /etc/authorization shenanigans.

Here's my issue: I can't seem to get the ability for local users in the admin group (don't plan for them, but there may be a case for the need to have one) AND AD accounts to be able to unlock the pref (and other ones that I want to do like Energy Saver).

I've tried changing the group that can unlock to "everyone" but that doesn't seem to be working. (10.7.4 here). If I log in as an AD user and do an id -g, "everyone" is indeed listed, but it doesn't seem to actually work.

So, I thought I would try and setup a definition where users in the admin OR netaccounts groups could unlock the prefs. However, no luck.

I think what I'm most frustrated about is that /etc/authorization is not documented AT ALL so it's a lot of shooting blind figuring out what the various keys do.

Any ideas??

1 ACCEPTED SOLUTION
4 REPLIES 4

jarednichols
Honored Contributor

Sir, many thanks. Your script gave me the clue that I needed. Apparently I wasn't setting the "master" system.preference group to everyone first.

I feel like such a putz. Oh well. Thanks!

mm2270
Legendary Contributor III

When I was doing something similar recently, I changed the group authorized to unlock certain System Preference panes to "lpadmin" rather than attempting to add the "everyone" or some other group into the mix, and then added all standard users to the lpadmin group. This has the affect that, since any admin is part of lpadmin already, it retains the ability of an admin to unlock the Preference Panes, but also gives the users the ability to unlock those Preference Panes too. It of course also allows standard users to add printers in the Print & Scan PrefPane, which is what we were looking at as well. So, in essence, any admin plus users that are added to the lpadmin group will have the ability to unlock any Preference Pane that is assigned in that way.

And you're right, understanding how to edit /etc/authorization takes some work and head scratching. The ones that are the hardest to understand are the ones that use rules rather than just a group or user authorization. I never did figure out how to write my own rule and add that in to the mix.

jarednichols
Honored Contributor
I never did figure out how to write my own rule and add that in to the mix.

This is what I was trying to bang around my skull last night for hours. Trying to do all sorts of "is-admin-or-is-console-owner" crap.