We support a school district with many mac laptops. Currently each student has limited access to his laptop. The principal at the school needs to be able to use remote desktop software to monitor the computers. He also needs the ability to install software for the kids when needed.
We have a local admin account on the machines, but can't give that password to the principal as if he leaks it we will end up having to change it on all the schools 350+ laptops.
Is there a way to create an administrator account in open directory that will automatically have local admin rights on all the computers who are connected to the OS X server at the site? This way if the password becomes compromised we can change it in one place to stop the kids from using it. We are not worried if this is the equivalent of a domain admin acocunt in windows as the principal may want access to the OS X server as well.