Making Network Users have local admin rights

Hi

+". . . Or even ARD?"+

Yes. Select desired workstations and send a Unix command:

softwareupdate -i -a

Send the command as root.

Tony

I have the same issue. I have a Workgroup "Group" that I need to grant Local Client admin access to. Did anyone figure this out?

This is normally something that is set when the computer is bound to Active Directory. You can set AD groups that will have local administrative privileges by clicking 'Show Advanced Options' and looking under the 'Advanced' tab and checking the 'Allow Administration By' box and then selecting your groups.

If you have already bound your clients, you can add groups to the local administrative group using the dsconfigad command with ARD.

Example:
To add an AD group called 'techs' in a domain called COMPANY, the command would be:
sh-3.2# dsconfigad -groups techs
Settings changed successfully

To check the success of the command, you can type:
sh-3.2# dsconfigad -show

You are bound to Active Directory:
Active Directory Forest = FQDN
Active Directory Domain = FQDN
Computer Account = computername

Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb:
Default user Shell = /bin/bash

Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set

Advanced Options - Administrative
Preferred Domain controller = not set
*Allowed admin groups = COMPANY\techs*
Authentication from any domain = Enabled
Packet signing = disable
Packet encryption = disable
Password change interval = 14
Namespace mode = domain

Advanced Options - Static maps
None
+end output+

Hope that helps...

Message was edited by: Matt Ramsay

I am not using AD at all. I am solely using OpenDirectory

any way you can do this without AD?

For OD only environment:

#Use dseditgroup in the following way:
dseditgroup -o edit -a yourGroupName -t group -n /Local/Default admin

#If you want members of that group to be recognized as sudoers, I believe you will also need to edit the sudoers file via visudo.

Hi,

Is there any easier way to do this? I need to grant a group of students a local admin rights so that i can get Logic Express and finale 2010 working for their account.

Thanks..

"For OD only environment:

#Use dseditgroup in the following way:
dseditgroup -o edit -a yourGroupName -t group -n /Local/Default admin"


The above looks simple enough, but I've tried repeatedly and get nothing....no error message, no success....

I have a newly installed OS X 10.6 (Snow Leopard) server as an Open Directory Master with brand new iMac's clients bound to the OD running OS X 10.6. Attempting to place an OD group as local admins on the iMac's

Server and Clients are up to dat on all patches. Should the dseditgroup command work with 10.6? Have also been trying to use dscl commands, but no luck.

Anybody help me out of my misery?

Sorry if this is a stupid question, but did you substitute your actual OD Group name in place of 'yourGroupName' in the command?

If so, run the following command:

dseditgroup -o read -n /Local/Default admin

You should see your local users that are in the admin group, but you should also see an entry under dsAttrTypeStandard:NestedGroups. That ID should match the GeneratedUID of your group. (You can check this in Workgroup Manager with the Inspector).

If there is nothing there, the group was never added properly.

Good luck, and let me know how you make out.

Message was edited by: Matt Ramsay

should this be done on the Server or on the Client?

This needs to be done on the clients, as you are editing the /Local/Default directory node.

I know its easier than using the System Preference Gui, but i believe the desirable ease would take advantage of doing so from the server and pushing out to clients using the managed preferences, without ARD. Is there such a way, Instead of having to go to every client to make such changes?

Push the commands via ARD, via ssh (either a login or via a command on the ssh command), or via distributed tools such asPuppet or such?

I have a launchd item on all of my clients that periodically checks back to my server for the presence of management/update scripts. When I want to make a system-wide change to my clients, I just put the script in one location on my server and the clients update themselves automatically.

AryanKing:
I see you are in St. Lucia. Any chance your employer would like to fly me down to set this up for you? I'm getting tired of the snow here in NY.