Local Admin Privileges in Tiger

Authored by: Anonymous on Wednesday, August 10 2005 @ 10:51 pm MDT

So do I have to put my LDAP HelpDesk group into every client
machine on my network one at a time, or is there a way to have it
apply to all bound clients?

Thanks,
Adam

[ Reply to This | # ]

Authored by: The Limey on Sunday, August 14 2005 @ 06:06 pm MDT

I can't believe I hadn't noticed this...

Thanks a lot for the article.

[ Reply to This | # ]

Authored by: The Limey on Monday, September 05 2005 @ 01:34 pm MDT

I have "sort of" got it.

If you create the groupmembers property manually in NetInfo Manager, then
the dseditgroup command works and the group nests as intended.

Now we just need to be able to add the groupmembers property through the
command line, and we can use it as a two-step solution.

[ Reply to This | # ]

Authored by: flumignan on Wednesday, February 22 2006 @ 07:09 pm MST

I was confused at first because I didn't understand the concepts. So, I wrote a scenario that I think might help others "get it". It includes GUI instructions on how to perform what Joel does via command line.

-------------

Let's say Jane gets a new PowerMac at work. The IT department first sets it up with one local administrator account - the "just in case" account called "localadmin". That account's stored in the PowerMac's local NetInfo directory. Naturally, "localadmin" is a member of the "Administrators" group.

After setting up the computer with all of Jane's programs and such, they configure the machine to authenticate to the company's LDAP directory (which happens to be on an Xserve server running 10.4.5). Once the computer's on her desk, Jane logs into her PowerMac with the username "jdoe01" and her password. Her account's in good standing on the server and she's permitted to log in.

Company policy says that graphic designers like Jane cannot be administrators on their workstations. Marc, on the other hand, works as a temp at the helpdesk. He's called over periodically to load software or do some other function that requires him to provide administrative credentials on the workstations.

Here's the difference between 10.3 and 10.4 In Panther, Marc would either log in as "localadmin" when he needed to work on Jane's PowerMac -- or he could log in as himself, but only if his account was in the "Administrators" group in the LDAP directory. That's undesireable. We don't want to have to give out the password to the "localadmin" to a temp like Marc. The other problem is, Nancy, the lead sysadmin, doesn't want Marc to be a member of the "Administrator" group because that would mean he could log into the server and possibly review sensitive documents.

In 10.4, however, we can get more granular. Nancy created a group called "helpdesk" in the LDAP server. Marc is a part of that group, as is Sandeep, who also works part time. That group "helpdesk" has no special priveledges; it's just a plain-old-group.

Nancy goes over to Jane's PowerMac. Nancy smartly keeps a copy of Workgroup Manager on a thumb drive, so she plugs that in and launches the program. From WGM, she goes to Server --> View Directories and chooses "Local" from the pull-down globe menu underneath the "Admin" icon. She wants to modify the Jane's local NetInfo database, so she clicks on the lock, enters "localadmin" and the corresponding password, and begins examining the Groups. She doesn't see the "Administrators" group that's built into the local NetInfo directory, so she remembers she needs to go to View --> Show System Users and Groups. Voilą! She see "Administrators" -- which already is populated with root and "localadmin".

Nancy wants to add a group from the LDAP directory into the "Administrators" group in the local NetInfo directory. In order for her to do this trick, she first has to click the button that says "Upgrade legacy group". Once that's done, she can hit the "Add" button, click the globe atop the sliding door, choose the company's LDAP directory and add "helpdesk".

This now will mean that Marc and Sandeep, who are members of the LDAP "helpdesk" group, are, by group inheritance, members of the local workstation's "Administrators" group. They can do admin things on Jane's PowerMac, but they're not server administrators.

I hope this helps.

[ Reply to This | # ]

Authored by: movieboy on Thursday, March 02 2006 @ 05:41 pm MST

To create the property from the command line:

sudo niutil -createprop / /groups/admin groupmembers ""

then you can run the dseditgroup command correctly.

-Joe

[ Reply to This | # ]

Authored by: Anonymous on Sunday, September 02 2007 @ 02:39 pm MDT

They work fine as of 10.4.10; we just discovered this and set it up yesterday. Thanks for the article! Here's our script we used for this; might be useful for other people to modify when transitioning from local admin groups to networked ones.

#!/bin/zsh -fe

# Configure the local admin group to contain only root, macadmin
# and the acm.admin LDAP/PTS group

[[ $(uname -s) == "Darwin" ]] || {
    print "This machine isn't running Mac OS X." >&2
    exit 1
}

[[ $(id -u) == 0 ]] || {
    print "You ain't root." >&2
    exit 1
}

typeset -aU members

get_membership() {
    members=($(dscl . -read /Groups/admin GroupMembership|sed -e 's/.*: //'))
}

get_membership
print Before: $members

# remove all but local users from admin group
members[$members[(i)root]]=()
members[$members[(i)macadmin]]=()

for m ($members) dseditgroup -q -o edit -d $m -t user admin

get_membership
print After: $members

dseditgroup -o edit -t group -f n admin
dscl . -delete /Groups/admin NestedGroups
dseditgroup -o edit -a acm.admin -t group admin

[ Reply to This | # ]

Authored by: JonThompson on Friday, February 29 2008 @ 05:23 pm MST

any idea what the command to do this is in 10.5? I know it is a LDAP command, not NetInfo, but that is about it.

[ Reply to This | # ]