Active Directory,  Mac OS X,  Mac OS X Server

Automatically assign admin rights in OS X based on Active Directory group membership

Thanks to Tedd Kidd for the following article, on automatically managing administrative privileges based on Active Directory groups!

This is a quick and easy way to assign any user to the local admin group in OS X based on their group membership in your Active Directory. This should also work with Open Directory or eDirectory groups if your workstations are bound to those directory services. You’ll need to include this code in the workstation login script so that it runs as root but uses the $@ variable to determine the user that is logging in.

#!/bin/bash

# Set group name to check against
groupname=”domain admins”

if [ “`/usr/bin/dsmemberutil checkmembership -U $@ -G $groupname`” == “user is a member of the group” ]; then
/usr/bin/dscl . merge /Groups/admin GroupMembership $@
fi

This works in both Snow Leopard and Lion.

If you work for a school (like me) the groupname variable could be changed to staff or teachers, which would allow any staff member or teacher to have admin rights if run on student workstations.