Adding Active Directory Account with Admin Rights

davidhead
New Contributor

I am attempting to add an active directory account to all of our Macs using the Local Account task in a policy in JSS. It adds the account fine on the mac but only adds it as a standard user, despite the fact I checked the box to allow the account to administer the computer. If anyone else has had this issue, I would greatly appreciate any help available.

1 ACCEPTED SOLUTION

nessts
Valued Contributor II

dseditgroup -o edit -a username admin is probably a better method, I do not remember why off the top of my head but remember it works better.

View solution in original post

8 REPLIES 8

mm2270
Legendary Contributor III

I don't think you can use the Local Account tab in a policy to add an Active Directory account to a Mac. That is only for local only accounts, not ones tied to a directory service. That's why its specifically labeled as "Local Accounts"
You'd be better off looking into the 'createmobileaccount' binary and scripting this instead of the Local Accounts tab.

lsmc08
Contributor

@davidhead I think you might be able to using dscl - something like this...

dscl . -append /Groups/admin GroupMembership AD_user_name.

Then just create a policy that uses Files & process and enter the command above under the process to execute field.

Of course, test the whole work flow first.

nessts
Valued Contributor II

dseditgroup -o edit -a username admin is probably a better method, I do not remember why off the top of my head but remember it works better.

mm2270
Legendary Contributor III

Because its the preferred way of adjusting group membership per Apple. That, and dscl . -append is nasty since it doesn't do a check to see if the group has already been added, meaning if it runs repeatedly on the same account it will just keep adding in "admin" group entries to the dscl entry. Later if you need to remove admin rights it will be a mess.

Still, the Local Accounts section of a policy should not be used to add a directory based account to a Mac. That's not what its for in the first place.

RobertHammen
Valued Contributor II

Don't forget that when you bind computers to AD, there's the checkbox for "Allow administration by" (and you can enter the name of an AD group there). Most orgs I work with typically have existing groups like "workstation admins" or "desktop admins" for their local IT staff, so I always add these AD groups to the bind options so that users automagically become admins when they log in. Works like a charm.

CGundersen
Contributor III

@RobertHammen

They are only admins while connected to domain correct (whether that is Apple expected behavior or not)? If they are not actively authenticated against domain (i.e. cached account) I don't believe the administrative rights are persistent? I might be mistaken on this ...

mm2270
Legendary Contributor III

Yes, if the local cached mobile account record is not in the local admin group, as soon as they are disconnected from the domain controllers, they lose admin rights. In some cases, this can be useful, but in other cases, it can be a pain.

davidhead
New Contributor

Thank all of you for your responses. The dseditgroup command worked like a charm, fairly new to Mac account management, appreciate all the help. Actually works better if they only have admin rights while they are connected to the domain.