Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Script to allow Administrators sec group to Remote Login

Just wondering if anyone knows the command to add the Administrators group for Remote Login

I've googled my pants off, I can allow the Admin but can't allow the Administrators group.

Any input would be greatly appreciated.

Like Comment
Order by:
SOLVED Posted: by pblake

@dsmetham I believe you just need to add them to the ard access group. A simple Google search on adding a group to ard access should do it.

Like
SOLVED Posted: by dmw3

@dsmetham You will need to create the group first, then you will be able to add users to the group.

You can create the group either from the GUI or command line.

Like
SOLVED Posted: by davidacland

Are you talking about SSH access?

If it is SSH, you used to use a group called com.apple.access_ssh. Not sure if thats still the case but if it is you should be able to use

dseditgroup -o create -q com.apple.access_ssh
  # Create the group

dseditgroup -o edit -a admin -t group com.apple.access_ssh
  # Add the admin group to it
Like
SOLVED Posted: by aporlebeke

Thanks for this @davidacland !

Like
SOLVED Posted: by aporlebeke

@davidacland your Terminal commands worked for me on a Yosemite test machine, but doesn't seem to work on my machine running 10.11.4. The first command does create the com.apple.access_ssh group, but then does not add the local Administrators group to the remote login panel like I was seeing on Yosemite.

Like
SOLVED Posted: by davidacland

I just double checked the commands and the man pages. All the options look to be the same so I'm not sure why they wouldn't be working.

When I tried them, creating the groups was fine, and adding a user to a group seemed to work intermittently.

Like
SOLVED Posted: by aporlebeke

Thanks for checking @davidacland . Looking at things more closely, it seems that the commands are working in that the com.apple.access_ssh group gets created, enables remote login (systemsetup -setremote login on), and sets remote login to "only these users". But no users or user groups are listed.

When I try and manually add the Administrators group it appears as added, but when I quit Sys Prefs and reopen it it no longer is shown as listed.

If confirmed that I can ssh into the machine from different accounts with admin privileges but cannot connect with standard users.

So, it appears to be working but not properly showing the Administrators group as the user group with privileges to ssh.

Like
SOLVED Posted: by aporlebeke

I can confirm the above is happening on both 10.10.4 and 10.11.4

Like
SOLVED Posted: by tony.schaps

@aporlebeke Even though nothing shows in the "remote login" list, try running in the Terminal:

/usr/bin/dscl . -read /Groups/com.apple.access_ssh

If your user shows there, you're golden. My JAMF management user does not show in the remote login list but it shows in that command. Also showing are "nested groups," one of which should be "ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000050", the admin group.

Like
SOLVED Posted: by aporlebeke

Something I realized, I was misentering the command posted further up the thread, the "T" needs to be capitalized, not lowercase:

dseditgroup -o create -q com.apple.access_ssh
  # Create the group

dseditgroup -o edit -a admin -T group com.apple.access_ssh
  # Add the admin group to it

However, when I do these commands together now, it adds just the local admin user to the Remote Login specified users rather than the Administrators group ... Any other thoughts?

Like
SOLVED Posted: by tony.schaps

Did you run /usr/bin/dscl . -read /Groups/com.apple.access_ssh ?
Anything under "NestedGroups"?

Like
SOLVED Posted: by aporlebeke

@tony.schaps Nothing about nested groups after running the command. As I mentioned in my post above, the command changed from a lowercase "t" to an uppercase in the second command, but that change just adds our local admin user to the remote login user list, not the Administrators group.

Like
SOLVED Posted: by aporlebeke

OK - so I started from scratch again. Running the original commands (with lowercase t) and then doing the dscl . read /Groups/com.apple.access_ssh reveals that there is in fact a nested group - the admin group with the UID you specified previously in the com.apple.access_ssh group.

Although the Administrators group is still not showing up in the listed remote login account list.

Like