One of the problems facing many Mac administrators in Active Directory environments is how to give their users admin rights on their machines. When configuring Active Directory, it’s easy to specify one or many AD groups that should have admin access, but this only works when the Mac is able to contact the domain controller to verify group membership. Furthermore, this can be a security risk, because this gives everyone in an AD group admin rights to every machine. How can you give each user admin rights to their machine only, and without the need to be in contact with the domain controller?
What we’re going to do is write a script that runs at login to add the AD user to the local admin group. There are two parts to this script. The first is to grab the currently logged in user.
if [ -z $3 ]; then currentUser=`stat -f '%Su' /dev/console` else currentUser=$3 fi
The JSS passes the currently logged in user as variable 3 to any script that it runs, however there was a defect in 9.0 (resolved in 9.01) that prevented this from working properly on scripts run as part of login policies, and I’ve occasionally (very rarely) seen variable 3 not populate properly on later versions, so I built in a failsafe. If variable 3 isn’t set, it uses the stat command to find the currently logged in user.
The next step is to add the current user to the local admin group.
dseditgroup -o edit -a $currentUser -t user admin
This line uses dseditgroup to add the curentUser variable (set to the currently logged in user in the if statement above) to the local admin group.
All you have to do is run this script as part of a policy triggered by login, with an execution frequency of once per computer, scoped to all machines, and each user will be an admin on their own machine.
But what if you only want to make certain users admins? For example, in a K12 environment, maybe we only want teachers to be admins. Just limit your policy to a certain AD group (in this case, teachers) and only teachers will be made admins. The policy won’t even run if a student logs in to a machine.
You can grab my example script from my Github page.