How to allow administration of OS X from network-based accounts (Open Directory)

0

Being new to OSX based server management, I am learning new little tricks all the time.  This is an important one for most users…

These are multiple ways you can specify which network users or groups are allowed to have administrator access.

System Preferences

You can add a network user to the local admin group using System Preferences.

  1. Log in with a network user account.
  2. From the Apple menu, choose System Preferences.
  3. From the View menu, choose Users & Groups.
  4. Select the “Allow user to administer this computer” checkbox.
  5. Enter a current administrator’s name and password when prompted.

Directory Utility (Active Directory)

You can add Active Directory (AD) groups to the local admin group using Directory Utility. (Only Active Directory groups may be added using this method.)

  1. From the Apple menu, choose System Preferences.
  2. From the View menu, choose Users & Groups.
  3. Click Login Options.
  4. Click the Edit button by “Network Account Server”.
  5. Click the Open Directory Utility button to open Directory Utility (/System/Library/CoreServices/Directory Utility).
  6. Click the lock in the lower left corner to authenticate.
  7. Under the Services tab, double-click Active Directory to edit it.
  8. Click the disclosure triangle next to “Show Advanced Options” to reveal its contents.
  9. Under the Administrative tab, click the “Allow administration by” checkbox to enable it.
  10. Click the add button (+) to add new entries to the list.
  11. Click OK to save your changes.

Command line (advanced)

If you’re familiar with using Terminal and the command line, you can add network users or groups to the local admin group using the dseditgroup command in Terminal. The following example adds a network user to the admin group:

Command to add an AD group to the local admin group
1 sudo dseditgroup -o edit -a "DOMAIN\GroupNameHere" -t group admin
Command to add a domain user to the local admin group
1 sudo dseditgroup -o edit -a UserNameHere -t user admin

In this example, “localadmin” is the name of a local administrator account on the workstation (you’re prompted for this account password) and “networkuser” is the short name of the network user.

You can learn more about editing users and groups from the command line by viewing the dseditgroup man page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.