Give Active Directory group members admin rights to their Mac while offline

When joining a Mac to Active Directory, you can specify domain users or groups to which you wish to grant administrator rights to the computer.  This is done in Directory Utility by ticking the “Allow administration by:” box and entering a domain\username pair:

 directory_utility

Alternatively, a simple command performs the same task:

$ dsconfigad -groups "DOMAIN\GroupName"

You can also populate multiple groups (or users), separated by commas:

$ dsconfigad -groups "DOMAIN\GroupName1,DOMAIN\GroupName2,DOMAIN\User23"

This can be altered without unbinding / rebinding the domain.

This is a useful feature if you are automating your Mac builds using tools such as DeployStudio and/or Munki, because you can pre-create and populate the AD group(s), and script the AD bind such that the correct groups are added to the “Allow Administration By” field, so there is nothing to do manually on the Mac itself.

However, a limitation of this feature is that users with an AD account in the “Allow Administration By” group are not cached, even if they have a Mobile Account on the Mac.  So, unless the domain controllers can be interrogated when the user attempts to perform an elevated task, they will be denied.

Mobile Users can be added to the computer’s “admin” group manually, using a command:

$ /usr/sbin/dseditgroup -o edit -a USERNAME -t user admin

Similarly they can be removed, thus:

$ /usr/sbin/dseditgroup -d edit -a USERNAME -t user admin

Automating the process

My solution is “check_local_admin”, a script which checks the members of the AD group in the “Allow Administration By” field, and if they also have an existing Mobile Account on the Mac, adds them to the “admin” group which gives them offline admin rights:

https://github.com/grahampugh/osx-scripts/blob/master/check_local_admin/check_local_admin.sh

To keep the user rights in sync, for instance, to remove local admin rights from an AD user if you remove them from the AD group, the script can be run as a LaunchDaemon.  This waits 15 seconds on startup to give networking a chance to fire up, then checks for access to AD. If it can’t see Active Directory, it does nothing, so user rights will only change when in contact with the domain controllers.

For more details on how to download or recreate the package for your establishment, check out my Git repository:

https://github.com/grahampugh/osx-scripts/tree/master/check_local_admin

Please check it out and let me know how you get on.

Advertisements

5 thoughts on “Give Active Directory group members admin rights to their Mac while offline

  1. Mads

    Hey, i stumbled upon your post, because i have done exactly this, BUT they loose their adminrights when they are no longer on the company network, which is super annoying since its mostly laptops, any ideas?

    Like

    Reply
    1. GrahamRP Post author

      Hi, thanks for commenting. My script should allow them to maintain their local admin rights – but there was a typo I’d committed to my private repo last month but not this public one. It’s up there now – give it another go.

      Like

      Reply
  2. andreilabin

    Hey Graham! This seems like something we could use. But I get an error on line 52:
    AD Domain = dx-17597.adm
    ./check_local_admin.sh: line 52: ADGroupArray: bad array subscript
    AD Name =
    AD Admin Group = dx-17597.adm
    ### Not connected or properly bound to AD. Leaving local admins alone.

    This error shows for every Group. There is a member of that group that also has logged in on this Mac at least once. I’ve also tried commenting out the local admin user in the excludes-list. Any ideas?
    Thanks!

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s