How to add an AD user as a local admin

by on July 3, 2007 » Add more comments.

We all know the obvious way to allow a given group(s) to be an admin of a Mac bound to Active Directory (see image below).

Although the “Allow administration by group” setting in Directory Access allows users in that group to install
software and perform certain other admin functions, there is a bug (or feature?) in Tiger that does not allow those nested group users to use sudo or unlock secure System Preferences. As far as I can tell, this is a problem with how the Mac handles nested groups. If you, or another user needs to truly be an admin, the account(s) needs to be added to the admin group.

Type in the following as root:

dscl . –append /Groups/admin users <span style="font-style: italic;">username1 username2 username3

This command can be sent to your clients over ARD (replace append with delete if you want to revoke admin access).

You can use this command to confirm who is an admin:

dscl . -read /Groups/admin users

If you have tech staff that doesn’t like the CLI, here is an applescript that can be used. This will get a list of users that have logged in already by listing the home folders (will not work with network home folders without modification). Copy this into Script Editor and save it as an application:

    set userList to paragraphs of (do shell script “ls -1d /Users/* | cut -d/ -f3 | grep -v Shared”)
    set userName to choose from list userList
    do shell script “dscl . -append /Groups/admin users ” & userName with administrator privileges
    display dialog userName &is now an admin of this computer”

If you would rather be able to type the users instead of selecting them from a list:

    set userList to text returned of (display dialog “Enter the user name(s) you would like to be admin(s)default answer “”)
    if userList is not equal to false then
    do shell script “dscl . -append /Groups/admin users ” & userList with administrator privileges
    else if userName is equal to false then display dialog “Operation cancelled”
    end if
    display dialog userList &is now an admin of this computer”

NOTE: These applescripts will not work over ARD, nor are they necessary since sending the single commands above are much easier.

Find more like this: Directory Services, Mac, Scripting , , , ,

4 Responses to How to add an AD user as a local admin

  • BJ says:

    Pat, I’ve found that in Leopard at least, I have to issue this command using sudo.

    Is there a similar operation using dseditgroup?

  • PatGmac says:

    Yes, the dscl command by itself does require sudo if you’re not root already. Any administrative command does. The applescripts do not require it because the “with administrative privileges” takes care of that.

    dseditgroup –o edit –a ADgroup –t group –n . admin

  • Matt says:

    I can’t thank you enough for this little tidbit. I knew there had to be way.

  • Rakesh says:

    thank you , it helped me.

Leave a Reply

Your email address will not be published. Required fields are marked *