An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Forums Active Threads
Previous Thread
Next Thread
Print Thread
network user accounts seen as local admins
#32727 01/29/15 01:50 PM
Joined: Aug 2009
Iowa
Virtual1 Offline OP
OP Offline
Virtual1

Joined: Aug 2009
Iowa
When our faculty/staff login on their macs using the network login, they are promoted automatically to "local admin", so they can install software and change system preferences etc. (it's campus policy that they are allowed this, not my call)

To accomplish this, the machines are configured with dsconfigad thusly:

Code:
dsconfigad -groups "OURDOMAIN\Staff_global","OURDOMAIN\Domain admins","OURDOMAIN\Info Technology" -alldomains enable


So any member of any of those three groups becomes a member of the Admin group on the computer while they are logged in.


(our macintoshes ALL use local home folders, we do not use network homes on the laptops or the desktops)

Some of these computers are laptops which they take home at night. As long as they've logged in once with it while on campus (and connected to our windows domain controller) they can continue to login, and even reboot and login while at home. The computer will have already created their home and has cached the login authentication and allows them to login even though the domain controller is unreachable.

The problem is that when they login while away from the DC, they fail to be promoted to admin status, and are unable to do things like install software.

As soon as they come back and log back in while attached to our network (and DC) they regain admin status. This lasts until they logout and have to log back in again out of sight of the DC.

For now we've told staff and faculty to avoid logging out or rebooting their laptops while they are off-campus, to avoid this issue. But sometimes it's unavoidable. Batteries die. Computers crash and reboot. Software installations or updates require a restart. Users accidentally log out.

I've contacted Apple and although they were willing to look into it (normally they won't help with anything requiring terminal) the rep I talked with was unable to find a solution.

Anyone here have any good ideas?


I work for the Department of Redundancy Department
Re: network user accounts seen as local admins
Virtual1 #32790 01/30/15 02:04 PM
Joined: Aug 2009
Iowa
Virtual1 Offline OP
OP Offline
Virtual1

Joined: Aug 2009
Iowa
If you want something done right I guess...

Code:
#!/bin/bash

vers=2015.01.28.A

# test all logged in users to see if they are members of an AD group that should grant them local admin rights
# add any to the local "admin" group that are not yet members


my_domain=MYCOMPANY   #  just the domain name itself, probably not MYCOMPANY.COM

debugging=$1
debugging2=$2


 logfile="/var/log/${0##*/}.log"
tempfile="/tmp/${0##*/}.tmp"


debug () {
if [ "$debugging" == "1" ] ; then
  echo "$1"
fi
}

debug2 () {
if [ "$debugging2" == "1" ] ; then
  echo "$1"
fi
}

log () {
local msg
msg="$(date "+%Y/%m/%d %H:%M:%S") $1"
debug "logfile = \"$logfile\""
touch "$logfile"
echo "$msg" >> "$logfile"
debug "$1"
}


if [ "$debugging" == "1" ] ; then
  clear
fi
debug
debug "${0##*/} version $vers"
debug
debug "tempfile = \"$tempfile\""
debug " logfile = \"$logfile\""

# fetch list of local admins
debug "finding current local admins:"
debug2 "CMD: dscl . -read /Groups/admin GroupMembership"
current_admins=$(dscl . -read /Groups/admin GroupMembership)  # "GroupMembership: root nfisher hawk test"
current_admins=${current_admins#*: }  # "root nfisher hawk test"
locals=0
for x in $current_admins ; do
  local[locals]="$x"  # "nfisher"
  debug "  found local admin \"${local[locals]}\""
  ((locals++))
done
debug "loaded $locals local admins"
debug

# fetch list of logged in users
debug "finding logged in users:"
debug2 "CMD: ps -ax -o \"user,comm\" | tr -s ' ' | sed 's/^ *//g' | grep loginwindow.app | grep -v console"
ps -ax -o "user,comm" | tr -s ' ' | sed 's/^ *//g' | grep loginwindow.app | grep -v console > "$tempfile"
# "nathanael.fisher /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" etc (possibly multiple lines)
loggedins=0
while read x ; do
  loggedin[loggedins]=${x%% *}  # "nathanael.fisher"
  debug "  found logged in user \"${loggedin[loggedins]}\""
  ((loggedins++))
done < "$tempfile"
rm "$tempfile"

debug "loaded $loggedins logged in users"
debug

# add to list of users allowed local admin status
add_one_group () {
group=$1
debug "reading AD group \"$group\":"
debug2 "dscl \"/Active Directory/${my_domain}/All Domains/\" -read \"/Groups/${group}\" member"
dscl "/Active Directory/${my_domain}/All Domains/" -read "/Groups/${group}" member > "$tempfile"
while read entry ; do  #  " CN=nathanael.fisher,OU=CIS Only,OU=HCC Users and Groups,DC=hawkeyecollege,DC=edu"
  entry=${entry#*=}  # "nathanael.fisher,OU=CIS Only,OU=HCC Users and Groups,DC=hawkeyecollege,DC=edu"
  entry=${entry%%,*}  # "nathanael.fisher"
debug2 "  found group member $entry"
  member[members]=$entry
  belongs[members]="$group"
#  debug "loading AD group member \"${member[members]}\""
  ((members++))
done < "$tempfile"
debug "now have a total of $members loaded AD group members"
debug
}

# build list of users allowed local admin status
members=0
add_one_group "Faculty_Global"
add_one_group "Staff_global"
add_one_group "InfoTechnology"
add_one_group "Domain admins"

# build list of group members that are not local admins
shouldbes=0
for ((iloggedin=0;iloggedin<loggedins;iloggedin++)) ; do
  u=${loggedin[iloggedin]}
  debug "checking to see if \"$u\" is a member of any AD groups:"
  found=
  for ((imember=0;imember<members;imember++)) ; do
    if [ "$u" == "${member[imember]}" ] ; then
      debug "  user is a member of \"${belongs[imember]}\""
      found=1
    fi
  done
  if [ $found ] ; then
    debug "user is a member of at least one AD group and should be a local admin"
    shouldbe[shouldbes]="$u"
    ((shouldbes++))
  else
    debug "user is not a member of any AD group that grants local admin rights"
  fi
  debug
done

# build list of users that should be local admins but that are not
missings=0
for ((ishouldbe=0;ishouldbe<shouldbes;ishouldbe++)) ; do
  u=${shouldbe[ishouldbe]}
  debug "checking to see if \"$u\" is a member of the local admin group:"
  found=
  for ((ilocal=0;ilocal<locals;ilocal++)) ; do
    if [ "$u" == "${local[ilocal]}" ] ; then
      break
    fi
  done
  if [ $ilocal == $locals ] ; then
    debug "user is not a member of the local admin group and needs to be added"
    missing[missings]="$u"
    ((missings++))
  else
    debug "user is already a local admin"
  fi
  debug
done

# add missing users into local admin group
if [ $missings == 0 ] ; then
  debug "no logged in AD group members are missing from the local admin group"
else
  for ((imissing=0;imissing<missings;imissing++)) ; do
    u="${missing[imissing]}"
    log "adding \"$u\" to the local admin group"
    debug "CMD: dscl . append /Groups/admin GroupMembership \"$u\""
    dscl . append /Groups/admin GroupMembership "$u"
  done
  debug "$missings users were added to the local admin group"
fi



this needs to be set up to run as a launch daemon, every five minutes or so. it will look at the list of logged in users, and look them up in active directory to see if they are a member of any of the user groups that you want to be local admins on your computers. if a user should be a local admin and is not, they will be (permanently) added to the local admin group. Look for the calls to "add_one_group" above to adjust the group names to match what your organization uses. Talk with your domain admin to get a list of the the correct group name(s)


Launchctl can launch jobs every five minutes easily, but it's subject to drift over time, and I like my jobs to be punctual. it lacks cron's clean syntax for "launch at every x minutes after the hour". So I use this for my daemon plist. It expects the above script to be at "/var/root/promote.command". I will assume you know how to manipulate launchctl jobs if you're going to attempt to use this.

Code:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>edu.mycompany.promote</string>
	<key>Program</key>
	<string>/var/root/promote.command</string>
	<key>RunAtLoad</key>
	<true/>
	<key>StartCalendarInterval</key>
	<array>
		<dict>
			<key>Minute</key>
			<integer>0</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>5</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>10</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>15</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>20</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>25</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>30</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>35</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>40</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>45</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>50</integer>
		</dict>
		<dict>
			<key>Minute</key>
			<integer>55</integer>
		</dict>
	</array>
</dict>
</plist>

I work for the Department of Redundancy Department

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Forum Rules · Mark All Read Contact Us · Forum Help · Home
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.014s Queries: 18 (0.011s) Memory: 0.5841 MB (Peak: 0.6434 MB) Data Comp: Zlib Server Time: 2024-04-20 07:57:21 UTC
Valid HTML 5 and Valid CSS