Automatically assign admin rights in OS X based on Active Directory group membership

Thanks to Tedd Kidd for the following article, on automatically managing administrative privileges based on Active Directory groups!

This is a quick and easy way to assign any user to the local admin group in OS X based on their group membership in your Active Directory. This should also work with Open Directory or eDirectory groups if your workstations are bound to those directory services. You’ll need to include this code in the workstation login script so that it runs as root but uses the $@ variable to determine the user that is logging in.

#!/bin/bash

# Set group name to check against
groupname=”domain admins”

if [ “`/usr/bin/dsmemberutil checkmembership -U $@ -G $groupname`” == “user is a member of the group” ]; then
/usr/bin/dscl . merge /Groups/admin GroupMembership $@
fi

This works in both Snow Leopard and Lion.

If you work for a school (like me) the groupname variable could be changed to staff or teachers, which would allow any staff member or teacher to have admin rights if run on student workstations.

  • Michael Natale

    This looks very cool. Stupid question. You say:

    “You’ll need to include this code in the workstation login script so that it runs as root but uses the $@ variable to determine the user that is logging in.”

    So the ‘workstation’ (mac) will run a Login Script stored/created in Active Directory just like a Windows machine if its bound to the domain?

    How do you make it run as root?

    THANKS!!

  • Jim

    I am running into a problem when I used the variable $@ in the script at login. It errors out and says user – G isnt found, meaning that there was nothing stored in that variable. The script runs successful though, if I replace $@ with my user account name. So I am wondering if I am setting the loginhook wrong.

  • Jim

    I fixed my problem, it was picky on the if statement. I added quotes around $@ and it started to work.

    “`/usr/bin/dsmemberutil checkmembership -U “$@” -G $groupname`”