Solved

Open Directory Administrative Account to allow local admin access?

Posted on 2010-08-20
15
875 Views
Last Modified: 2013-11-11
We support a school district with many mac laptops.  Currently each student has limited access to his laptop.  The principal at the school needs to be able to use remote desktop software to monitor the computers.  He also needs the ability to install software for the kids when needed.  

We have a local admin account on the machines, but can't give that password to the principal as if he leaks it we will end up having to change it on all the schools 350+ laptops.

Is there a way to create an administrator account in open directory that will automatically have local admin rights on all the computers who are connected to the OS X server at the site?  This way if the password becomes compromised we can change it in one place to stop the kids from using it.  We are not worried if this is the equivalent of a domain admin acocunt in windows as the principal may want access to the OS X server as well.
0
Comment
Question by:ccarmichael7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 15

Expert Comment

by:roylong
ID: 33488538
what version of OS X are you running? how are your computers bound to the open directory?  are they bound to the directory?

On the Open Directory Master you should be able to set up the administrator account to log in and manage any of the client computers that are bound to that directory.

This way you can then use that account to log in and manage those same computers using Apple Remote Desktop.  Depending on how you have the systems configured and imaged, you may have to set up the account on each of the client computers and then assign that user for remote desktop control.  If that user account is then compromised you can change the password and (because it is a networked account) this will prevent non-authorised users logging in.

Believe it or not, this is much easier to do with the clients bound into a Windows AD domain.  You can specify to allow the client to be administered from the domain.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33489000
There is a check box in each user acct which allows you to set the user as admin or non admin.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33489971
Ooops, that is for administering the server that check box.  Instead, in WGM:
- Go to the users
- Click on the user, in your case, the principal
- Click on Groups
- Add the group Administrators
- You could even make this his primary group
- You're done..
- I will post a screenshot later.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:ccarmichael7
ID: 33507326
Thanks for your comments Roylong and Nappy_d!  I will be onsite setting this up tomorrow.  Nappy_d  will I need to add the account on every computer, or will him having admin rights in OD mean he automatically has admin rights on any computer bound to the OD server?

Thanks for the help Roylong, but there is no windows integration setup at this site and I would like to keep the mac network seperate.

Please advise...
0
 

Author Comment

by:ccarmichael7
ID: 33507336
Sorry server and macbooks are running OSX 10.5.  A few macboks are runnign OSX 10.6.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33507454
Nothing to do at any workstation but login.  By making these settings on the user's account(the principal),in effect, he/she gets local admin privileges on ANY computer that he/she logs in to.

Picture-260.png
0
 

Author Comment

by:ccarmichael7
ID: 33507518
Awesome thank you.  I'll implement this on site tomorrow and report back!
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points
ID: 33507568
Guaranteed to work :)

Just make sure to add the group Administrators as shown.
0
 

Author Closing Comment

by:ccarmichael7
ID: 33526885
There was no administrators group.  I think ti was renamed to something else but when I setup the account and added it to the group it worked perfectly.
0
 
LVL 1

Expert Comment

by:cbielich
ID: 33554253
I am having the same issue, the administrators group is missing and so I tried to add it as well and it tells me I cant add the group because it already exists. But its not listed in my groups tab
Screen-shot-2010-08-29-at-12.42..png
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33554409
What I did was:
- go to the user's acct in WGM
- click on their group membership tab
- simply add the group Administrators

Do not try to create the group.  
0
 
LVL 1

Expert Comment

by:cbielich
ID: 33554674
That's the problem, the group is not on that list, and even when i try and add it, it says the group already exists
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33554708
So what you're saying is:
- when you click on the user joe
- you then click on his group tab

You cannot add the group administrator?

I am not talking about the group management tab but the user mgmt tab.
0
 
LVL 1

Expert Comment

by:cbielich
ID: 33554744
Yes but it's not that I can't add it, the group is not there as an option to select
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 33554847
Make the user's primary group ID 80 and it will add it.

If you need further assistance open a new discussion.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Apple's Mac OS X has become an official member of the malware club. The Flashback Trojan has affected over half million Macs, worldwide. It is behavior that ultimately gets malware onto a person’s computer. Obsolete or out-of-date software helps…
A common question or need, when setting-up a new Mac for someone would be to make all of the applications, installed, available from the dock. Many people often do not realize an application is installed unless it is in the dock. Creating a custo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question