Home > Active Directory, Mac administration, Mac OS X, Open Directory > Adding groups from your directory service to your Mac’s admin group

Adding groups from your directory service to your Mac’s admin group

If your Mac environment is using a directory service for authentication (like Apple’s Open Directory or Microsoft’s Active Directory), you can add a group from your directory service to be a member of your Mac’s local admin group (members of which have administrative rights on your Macs.) This helps simplify granting administrative rights on your Macs, as you can add and remove accounts to your server-end group to grant and remove administrative rights for those accounts on your Macs.

To add a group from your directory service to your Mac, you can use the following command:

sudo dseditgroup -o edit -a “group name” -t group admin

If you’re adding an AD group, you may need to add the AD domain’s name:

sudo dseditgroup -o edit -a “DOMAIN\group name” -t group admin

For Active Directory, you can also use the dsconfigad tool to enable or disable administrative rights for a particular AD group:

sudo dsconfigad -groups “group name”

Groups can be specified by domain to ensure security is not compromised, e.g., “domain admins@domain.ads.demo.com”

One thing to watch for with adding AD groups is that the group whose members you want to give administrator rights to needs to be listed as the Primary Group in AD for those accounts. Otherwise, they may not be given administrative rights on the Macs despite the AD group being added to the local admin group.

  1. adam
    February 3, 2012 at 9:14 pm

    Hi…

    We have an issue with Lion that only appears when the computer in questino is off the network.

    We have a single AD group that’s given local admin access to each Mac. However, when taken off the network…none of the AD users in that admin group have admin rights.

    I have to be in the office or on VPN for it to work correctly.

    Any thoughts?

    • February 3, 2012 at 9:49 pm

      Adam,

      Are the AD users granted their admin rights via the AD plug-in? If so, once the machine is off your AD domain, your users will lose their admin rights.

      If you need those users to permanently keep admin rights, you’ll need to grant those rights via the Users and Groups preference pane or by adding those users to the admin group via the command line.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 154 other followers

%d bloggers like this: