Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: badbox5
badbox5 Author
User level: Level 1
0 points

Can I use profile manager to assign AD usergroups as administrators?

Hi,


I'm running Mavericks Server App 3.0 and would like to centrally manage users that have Administrative privileges on my iMac clients. I have already bind the clients to AD and I can login as Windows domain users. I know I can set administrators when I bind the machine, but I'd like to be able to manage this from the server incase it needs to change, not to mention I don't want to set each computer by hand. They are successfully enrolled and accepting profile manager settings. Can I use something in profile manager (settings, scripts?) to add admin privileges to AD users, usergroups or even create a local admin on the client machines? Thanks for helping!

Server-OTHER, OS X Mavericks (10.9)

Posted on Dec 3, 2013 12:36 PM

Reply
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,785 points

Posted on Dec 3, 2013 4:36 PM

So the short answer is yes. The long answer is a bit more complicated.


The AD profile now supports a number of attributes not shown in the user interface. (Apple has this documented here http://support.apple.com/kb/HT5981) You can define the profile in Profile Manager, save it to a file and then edit the file to add the attributes in. The unknown here is how will this behave when you push it back out to devices that have already received the profile. I would caution isolated testing on this to validate that it is safe. I've never tried changing the profile after deployment. I've always had the values set before adding devices.


For machines that are already deployed, I would simply use ARD and push this command to all bound machines:


dsconfigad -groups "domain admins,enterprise admins,aSpecialGroup"


Edit the groups to fit your needs, each separated by a comma as shown. That should work for you and using ARD you can hit all units in one shot.


R-

Apple Consultants Network

Apple Professional Services

Author: "Mavericks Server – Foundation Services" :: Exclusively available in the Apple iBooks Store

View in context
1 reply
Question marked as Best reply
User profile for user: Strontium90
Strontium90
User level: Level 5
4,785 points

Dec 3, 2013 4:36 PM in response to badbox5

So the short answer is yes. The long answer is a bit more complicated.


The AD profile now supports a number of attributes not shown in the user interface. (Apple has this documented here http://support.apple.com/kb/HT5981) You can define the profile in Profile Manager, save it to a file and then edit the file to add the attributes in. The unknown here is how will this behave when you push it back out to devices that have already received the profile. I would caution isolated testing on this to validate that it is safe. I've never tried changing the profile after deployment. I've always had the values set before adding devices.


For machines that are already deployed, I would simply use ARD and push this command to all bound machines:


dsconfigad -groups "domain admins,enterprise admins,aSpecialGroup"


Edit the groups to fit your needs, each separated by a comma as shown. That should work for you and using ARD you can hit all units in one shot.


R-

Apple Consultants Network

Apple Professional Services

Author: "Mavericks Server – Foundation Services" :: Exclusively available in the Apple iBooks Store

Reply

Can I use profile manager to assign AD usergroups as administrators?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up