Although the “Allow administration by group” setting in Directory Access allows users in that group to install
software and perform certain other admin functions, there is a bug (or feature?) in Tiger that does not allow those nested group users to use sudo or unlock secure System Preferences. As far as I can tell, this is a problem with how the Mac handles nested groups. If you, or another user needs to truly be an admin, the account(s) needs to be added to the admin group.
Type in the following as root:
dscl . –append /Groups/admin users <span style="font-style: italic;">username1 username2 username3
This command can be sent to your clients over ARD (replace append with delete if you want to revoke admin access).
You can use this command to confirm who is an admin:
dscl . -read /Groups/admin users
If you have tech staff that doesn’t like the CLI, here is an applescript that can be used. This will get a list of users that have logged in already by listing the home folders (will not work with network home folders without modification). Copy this into Script Editor and save it as an application:
set userList to paragraphs of (do shell script “ls -1d /Users/* | cut -d/ -f3 | grep -v Shared”) set userName to choose from list userList do shell script “dscl . -append /Groups/admin users ” & userName with administrator privileges display dialog userName & ” is now an admin of this computer”
If you would rather be able to type the users instead of selecting them from a list:
set userList to text returned of (display dialog “Enter the user name(s) you would like to be admin(s)” default answer “”) if userList is not equal to false then do shell script “dscl . -append /Groups/admin users ” & userList with administrator privileges else if userName is equal to false then display dialog “Operation cancelled” end if display dialog userList & ” is now an admin of this computer”
NOTE: These applescripts will not work over ARD, nor are they necessary since sending the single commands above are much easier.