Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 881
  • Last Modified:

Open Directory Administrative Account to allow local admin access?

We support a school district with many mac laptops.  Currently each student has limited access to his laptop.  The principal at the school needs to be able to use remote desktop software to monitor the computers.  He also needs the ability to install software for the kids when needed.  

We have a local admin account on the machines, but can't give that password to the principal as if he leaks it we will end up having to change it on all the schools 350+ laptops.

Is there a way to create an administrator account in open directory that will automatically have local admin rights on all the computers who are connected to the OS X server at the site?  This way if the password becomes compromised we can change it in one place to stop the kids from using it.  We are not worried if this is the equivalent of a domain admin acocunt in windows as the principal may want access to the OS X server as well.
0
ccarmichael7
Asked:
ccarmichael7
  • 7
  • 4
  • 3
  • +1
1 Solution
 
roylongCommented:
what version of OS X are you running? how are your computers bound to the open directory?  are they bound to the directory?

On the Open Directory Master you should be able to set up the administrator account to log in and manage any of the client computers that are bound to that directory.

This way you can then use that account to log in and manage those same computers using Apple Remote Desktop.  Depending on how you have the systems configured and imaged, you may have to set up the account on each of the client computers and then assign that user for remote desktop control.  If that user account is then compromised you can change the password and (because it is a networked account) this will prevent non-authorised users logging in.

Believe it or not, this is much easier to do with the clients bound into a Windows AD domain.  You can specify to allow the client to be administered from the domain.
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
There is a check box in each user acct which allows you to set the user as admin or non admin.
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Ooops, that is for administering the server that check box.  Instead, in WGM:
- Go to the users
- Click on the user, in your case, the principal
- Click on Groups
- Add the group Administrators
- You could even make this his primary group
- You're done..
- I will post a screenshot later.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
ccarmichael7Author Commented:
Thanks for your comments Roylong and Nappy_d!  I will be onsite setting this up tomorrow.  Nappy_d  will I need to add the account on every computer, or will him having admin rights in OD mean he automatically has admin rights on any computer bound to the OD server?

Thanks for the help Roylong, but there is no windows integration setup at this site and I would like to keep the mac network seperate.

Please advise...
0
 
ccarmichael7Author Commented:
Sorry server and macbooks are running OSX 10.5.  A few macboks are runnign OSX 10.6.
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Nothing to do at any workstation but login.  By making these settings on the user's account(the principal),in effect, he/she gets local admin privileges on ANY computer that he/she logs in to.

Picture-260.png
0
 
ccarmichael7Author Commented:
Awesome thank you.  I'll implement this on site tomorrow and report back!
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Guaranteed to work :)

Just make sure to add the group Administrators as shown.
0
 
ccarmichael7Author Commented:
There was no administrators group.  I think ti was renamed to something else but when I setup the account and added it to the group it worked perfectly.
0
 
cbielichCommented:
I am having the same issue, the administrators group is missing and so I tried to add it as well and it tells me I cant add the group because it already exists. But its not listed in my groups tab
Screen-shot-2010-08-29-at-12.42..png
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
What I did was:
- go to the user's acct in WGM
- click on their group membership tab
- simply add the group Administrators

Do not try to create the group.  
0
 
cbielichCommented:
That's the problem, the group is not on that list, and even when i try and add it, it says the group already exists
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
So what you're saying is:
- when you click on the user joe
- you then click on his group tab

You cannot add the group administrator?

I am not talking about the group management tab but the user mgmt tab.
0
 
cbielichCommented:
Yes but it's not that I can't add it, the group is not there as an option to select
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Make the user's primary group ID 80 and it will add it.

If you need further assistance open a new discussion.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now