Adding groups from your directory service to your Mac’s admin group
If your Mac environment is using a directory service for authentication (like Apple’s Open Directory or Microsoft’s Active Directory), you can add a group from your directory service to be a member of your Mac’s local admin group (members of which have administrative rights on your Macs.) This helps simplify granting administrative rights on your Macs, as you can add and remove accounts to your server-end group to grant and remove administrative rights for those accounts on your Macs.
To add a group from your directory service to your Mac, you can use the following command:
sudo dseditgroup -o edit -a “group name” -t group admin
If you’re adding an AD group, you may need to add the AD domain’s name:
sudo dseditgroup -o edit -a “DOMAIN\group name” -t group admin
For Active Directory, you can also use the dsconfigad tool to enable or disable administrative rights for a particular AD group:
sudo dsconfigad -groups “group name”
One thing to watch for with adding AD groups is that the group whose members you want to give administrator rights to needs to be listed as the Primary Group in AD for those accounts. Otherwise, they may not be given administrative rights on the Macs despite the AD group being added to the local admin group.
Hi…
We have an issue with Lion that only appears when the computer in questino is off the network.
We have a single AD group that’s given local admin access to each Mac. However, when taken off the network…none of the AD users in that admin group have admin rights.
I have to be in the office or on VPN for it to work correctly.
Any thoughts?
Adam,
Are the AD users granted their admin rights via the AD plug-in? If so, once the machine is off your AD domain, your users will lose their admin rights.
If you need those users to permanently keep admin rights, you’ll need to grant those rights via the Users and Groups preference pane or by adding those users to the admin group via the command line.