Allow AD Group Admins to be Admins while Offline?

nethers
Contributor

We use Casper Imaging to image all of our fresh MacBook Airs. Then we distribute the computers out to each user with only a local tech account on the computer. The user will authenticate over Active Directory and their account will be created. After logging in for the first time the users receive admin rights based on being in our 'Directory Utility's Active Directory Group specified to 'Allow administration by: ExampleDomainExampleGroup' as part of our Binding.

The only problem with this is that when the user takes the machine home, they're no longer connected to AD so if and when they have to re-login/restart their user account is no longer able to be seen as in the 'ExampleDomainExampleGroup' thus is not receiving admin credentials. So if they need to install say, GoToMeeting, etc, or use any other administrative purpose they can't!

The only solution I've found is the have the user do their first AD login, disconnect the Wi-Fi, then restart, the account will exist but will no longer be an admin. I can check the box to 'Allow user to administer this computer'. We'd really like to avoid this process of handing off computers, then coming back in for each user and making them an admin manually. This won't work for our checkout MacBook Airs.

How are other organizations that work with Macs and Active Directory automating this solution?

We have a unique situation that we can't necessarily just enter one user's name as we don't know who will use the laptop, as some of the Laptops will be cart based for checkout, we really need to pull all users from our AD Admin Group, lets call this ExampleDomainExampleGroup' and fill out the local GroupsAdmin group. Any scripters?

8 REPLIES 8

franton
Valued Contributor III

They'll only retain their admin rights when the computer can see your domain controller. If you want something more permanent, you'll have to add each user to the "admin" group via a script. Unlike Windows where you can add users to the local administrators group at any time, on the mac this can only be done if the account exists on the computer.

I've found that the most reliable command to do this is as follows:

dscl . -merge /Groups/admin GroupMembership "$username"

Replace "$username" with whatever variable you intend to use.

nethers
Contributor

Say our domain is ExampleDomain and the Admin Group we store our 'administrative users' is called ExampleGroup, is there a way to have that merge piece you found pull the entire AD ExampleDomainExampleGroup's users and merge them with the /Groups/admin? We could push this with a JAMF policy as we get new users.

alexjdale
Valued Contributor III

You can grant administrator rights to a user account before they have logged in, via script. I do this with:

dscl . append /Groups/admin GroupMembership username

If you wanted to, I assume you could script a method to pull usernames from the AD group and add them all to the local admin group, but our security policy is "least access required" so it would go against that policy to grant users admin rights on systems where they don't need it.

nethers
Contributor

Hi Alex, we need our AD Admin Group to populate the /Groups/Admin. Do you know how to pull users from the group (maybe store in an array) and populate the /Groups/Admin?

mm2270
Legendary Contributor III

If we're talking Active Directory, something like this may be of help

#!/bin/sh

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )
ADAdminGroupName="Group Name"

ADGroups=$( dscl "/Active Directory/DOMAINF/All Domains" read /Users/$loggedInUser dsAttrTypeNative:memberOf )

if [[ "$ADGroups" =~ "$ADAdminGroupName" ]]; then
    echo "User $loggedInUser is member of group $ADAdminGroupName. Granting Local Admin Privileges"
    /usr/sbin/dseditgroup -o edit -a $loggedInUser -t user admin
else
    echo "User $loggedInUser is not a member of group $AdminGroupName. Leaving as standard user"
fi

Note that the recommended way these days to edit group membership is with dseditgroup, not dscl.
See Greg Neagle's post on this from a couple of years ago on the subject:
http://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/

mm2270
Legendary Contributor III

Bah! Double post...

nethers
Contributor

This may be the solution, I will have to try this shortly.

gmarnin
New Contributor III

mm2270,

Your script is a good start. I would tweak it to account for a situation where a user was in an AD admin group (and is now in the local admin group) but is no longer in the AD admin group. In that case, you need to remove the user from the local admin group.

Something like this untested script:

# check if user is in the local admin group
IsLocalAdmin=$(dseditgroup -o checkmember -n $loggedInUser . admin | awk '{print $1}')

if [[ "$IsLocalAdmin" = "yes" ]]; then
    /usr/sbin/dseditgroup -o edit -d $loggedInUser -t user admin
    echo "User $loggedInUser has been removed from the local group and is now a standard user"
else
    echo "User $loggedInUser is not a member of group $AdminGroupName. Leaving as standard user"
fi