Solved

Open Directory Administrative Account to allow local admin access?

Posted on 2010-08-20
15
871 Views
Last Modified: 2013-11-11
We support a school district with many mac laptops.  Currently each student has limited access to his laptop.  The principal at the school needs to be able to use remote desktop software to monitor the computers.  He also needs the ability to install software for the kids when needed.  

We have a local admin account on the machines, but can't give that password to the principal as if he leaks it we will end up having to change it on all the schools 350+ laptops.

Is there a way to create an administrator account in open directory that will automatically have local admin rights on all the computers who are connected to the OS X server at the site?  This way if the password becomes compromised we can change it in one place to stop the kids from using it.  We are not worried if this is the equivalent of a domain admin acocunt in windows as the principal may want access to the OS X server as well.
0
Comment
Question by:ccarmichael7
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 15

Expert Comment

by:roylong
ID: 33488538
what version of OS X are you running? how are your computers bound to the open directory?  are they bound to the directory?

On the Open Directory Master you should be able to set up the administrator account to log in and manage any of the client computers that are bound to that directory.

This way you can then use that account to log in and manage those same computers using Apple Remote Desktop.  Depending on how you have the systems configured and imaged, you may have to set up the account on each of the client computers and then assign that user for remote desktop control.  If that user account is then compromised you can change the password and (because it is a networked account) this will prevent non-authorised users logging in.

Believe it or not, this is much easier to do with the clients bound into a Windows AD domain.  You can specify to allow the client to be administered from the domain.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33489000
There is a check box in each user acct which allows you to set the user as admin or non admin.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33489971
Ooops, that is for administering the server that check box.  Instead, in WGM:
- Go to the users
- Click on the user, in your case, the principal
- Click on Groups
- Add the group Administrators
- You could even make this his primary group
- You're done..
- I will post a screenshot later.
0
 

Author Comment

by:ccarmichael7
ID: 33507326
Thanks for your comments Roylong and Nappy_d!  I will be onsite setting this up tomorrow.  Nappy_d  will I need to add the account on every computer, or will him having admin rights in OD mean he automatically has admin rights on any computer bound to the OD server?

Thanks for the help Roylong, but there is no windows integration setup at this site and I would like to keep the mac network seperate.

Please advise...
0
 

Author Comment

by:ccarmichael7
ID: 33507336
Sorry server and macbooks are running OSX 10.5.  A few macboks are runnign OSX 10.6.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33507454
Nothing to do at any workstation but login.  By making these settings on the user's account(the principal),in effect, he/she gets local admin privileges on ANY computer that he/she logs in to.

Picture-260.png
0
 

Author Comment

by:ccarmichael7
ID: 33507518
Awesome thank you.  I'll implement this on site tomorrow and report back!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points
ID: 33507568
Guaranteed to work :)

Just make sure to add the group Administrators as shown.
0
 

Author Closing Comment

by:ccarmichael7
ID: 33526885
There was no administrators group.  I think ti was renamed to something else but when I setup the account and added it to the group it worked perfectly.
0
 
LVL 1

Expert Comment

by:cbielich
ID: 33554253
I am having the same issue, the administrators group is missing and so I tried to add it as well and it tells me I cant add the group because it already exists. But its not listed in my groups tab
Screen-shot-2010-08-29-at-12.42..png
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33554409
What I did was:
- go to the user's acct in WGM
- click on their group membership tab
- simply add the group Administrators

Do not try to create the group.  
0
 
LVL 1

Expert Comment

by:cbielich
ID: 33554674
That's the problem, the group is not on that list, and even when i try and add it, it says the group already exists
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33554708
So what you're saying is:
- when you click on the user joe
- you then click on his group tab

You cannot add the group administrator?

I am not talking about the group management tab but the user mgmt tab.
0
 
LVL 1

Expert Comment

by:cbielich
ID: 33554744
Yes but it's not that I can't add it, the group is not there as an option to select
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33554847
Make the user's primary group ID 80 and it will add it.

If you need further assistance open a new discussion.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Deploystudio is a system which can be used to deploy OSX clients and servers within the small/medium or large business environments. The system is built ontop of the OSX Server NetBoot system and uses images & workflows as its core assets. Although …
The /etc/authorization file in Mac OS X 10.x can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only adm…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now