Adding groups from your directory service to your Mac’s admin group
If your Mac environment is using a directory service for authentication (like Apple’s Open Directory or Microsoft’s Active Directory), you can add a group from your directory service to be a member of your Mac’s local admin group (members of which have administrative rights on your Macs.) This helps simplify granting administrative rights on your Macs, as you can add and remove accounts to your server-end group to grant and remove administrative rights for those accounts on your Macs.
To add a group from your directory service to your Mac, you can use the following command:
sudo dseditgroup -o edit -a “group name” -t group admin
If you’re adding an AD group, you may need to add the AD domain’s name:
sudo dseditgroup -o edit -a “DOMAIN\group name” -t group admin
For Active Directory, you can also use the dsconfigad tool to enable or disable administrative rights for a particular AD group:
sudo dsconfigad -groups “group name”
One thing to watch for with adding AD groups is that the group whose members you want to give administrator rights to needs to be listed as the Primary Group in AD for those accounts. Otherwise, they may not be given administrative rights on the Macs despite the AD group being added to the local admin group.