Can you include AD groups into the specified users for ARD?

msnowdon
Contributor

I use a script to enable ARD and give the local administrator account full access. I was asked to provide ARD access to Active Directory users. Can that be done? Even if I try to manually add them, I dont get the option from selecting AD users, only local accounts.c2e5816ac37346068400c38f1a612609

6 REPLIES 6

djrich29
New Contributor III

Usually what you do when you want to have ARD directory authentication is to create a local group "ard_admin" using dscl and then nest the Active Directory group or users inside of this local group.

This is the script i've used to implement ARD AD authentication in my environment:

#First, create a Local group
sudo dscl . -create /Groups/ard_admin
sudo dscl . -create /Groups/ard_admin PrimaryGroupID "530" 
sudo dscl . -create /Groups/ard_admin Password "*" 
sudo dscl . -create /Groups/ard_admin RealName "ard_admin" 
sudo dscl . -create /Groups/ard_admin GroupMembers "" 
sudo dscl . -create /Groups/ard_admin GroupMembership ""

# Nest the AD group you want to have ARD access to the ard_admin group you just created. This is done with the dseditgroup command:
sudo dseditgroup -o edit -a "UNTSomeGroupName" -t group ard_admin

#Now that you have a local group with an AD group nested inside, you can give your group the necessary privileges via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -activate -configure -access -on -privs -all -users ard_admin -restart -agent

#Just to be safe we want to make sure access is only allowed for the Specified Users, again do this via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -allowAccessFor -specifiedUsers

#The last step in this process is to set the ARD client options to allow directory logins, again do this via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -clientopts -setdirlogins -dirlogins yes

#To add a single Active Directory user to the local ard_admin group, do not use dscl to add or delete individual users. Use dseditgroup with the -a (to add) or -d (to delete) options.
sudo dseditgroup -o edit -a EUID -t user ard_admin

msnowdon
Contributor

@djrich29 Thanks, I'll give it a try.

msnowdon
Contributor

Doing something wrong. Seems like it cannot find the AD group.a612235bdcd048d0a4bd8c74a73ec6ae

stephanpeterson
Contributor

I'm using this to give single AD users access to ARD. While it's working, I'm not seeing the users populate in the Remote Management pref pane. Is this to be expected? Tested on macOS 10.12.6 thus far.

fernando_gonzal
Contributor

@djrich29 thanks for the script. It works great. This is particularly relevant right now with remote learning.

For those that have a local admin account that you also want to give ARD access (since the script will change access to specified users instead of all) I was able insert this additional line after giving access to the ard_admin group:

#Give a local account the necessary privileges via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -access -on -privs -all -users ITAdministrator -restart -agent

In this case I added the local account "ITAdministrator". Be aware that the account name will be case sensitive (the lowercase shortname "itadministrator" wouldn't have worked). You can usually use

dscl . list /Users

to figure out the needed capitalization.

user-SztMICIbuE
New Contributor

Usually what you do when you want to have ARD directory authentication is to create a local group "ard_admin" using dscl and then nest the Active Directory group or users inside of this local group.

facetime app