Tiny Deathstars of Foulness

If you deploy a large number of computers to users who are somewhat likely to play practical jokes on each other then you will run into some interesting issues. If you are deploying one computer to every user and you want each user to be an administrator of their computer then you might be tempted to allow all users to be administrators of all computers. If you do then prepare for an infinite number of sometimes amusing practical jokes. But really, being proactive about this brings up an interesting point: how do you deploy a computer and make only the user who you want to be an administrator an administrator. In a large deployment of Mac OS X, you are going to likely have a map somewhere between what user has each computer. You may even go so far as to name the computers the same name that you name the user associated with the computer. If you do this, then you have a pretty straight-forward task ahead of you. Basically, you’ll add the user who you are handing the computer to an administrator by adding them to the admin group. In order to do so, can check the “Allow user to administer this computer” as you can see in the following figure. If you have a sizable deployment you’ll want to automate this task rather than log in as each user and set the setting. You can automate the task using the dscl command along with the append verb. For example to place the user cedge into the admin group:
sudo dscl . append /Groups/admin GroupMembership cedge
That works as a one-off operation but not in bulk. If your computer name is the same as the user who will be using the system you can then use the scutil command and “–get” the ComputerName:
scutil –get ComputerName
NOTE: The –get options in this article are two hyphens rather than one, WordPress just merges them for some reason… You can then use this as the variable to use for augmenting the GroupMembership for admin:
sudo dscl . append /Groups/admin GroupMembership `scutil —get ComputerName`
Pop that into a post-flight package and you’ve got yourself a solution where you make the primary user of a system the admin of the local box and then make the subsequent users standard accounts. If your ComputerName doesn’t match your user name then all is not lost. One way to grab what admin user you’d like for each host would be to populate something on the client with that information. Another would be to put it in a csv and read the line for the csv that is associated to the computer in to obtain it. If you populate something on the client it could be the Text1 field from Apple Remote Desktop. This can be done using the Remote Management option in the Sharing System Preference, clicking on Computer Settings and then typing the data into the Info 1: field. To insert the information at image time (or at least programmatically), you could use defaults to write it into, located in /Library/Preferences:
defaults write /Library/Preferences/ Text1 “cedge”
To then read that variable:
defaults read /Library/Preferences/ Text1
The command to set the admin user based on the Text1 field would then be:
sudo dscl . append /Groups/admin GroupMembership `defaults read /Library/Preferences/ Text1`
There are probably about as many other ways to go about this as there are Mac OS X mass deployments. For example, instead of inserting data into Text1 from a defaults command, you could use kickstart with the -computerinfo option to write data into -set1 -1 or something like that (which is likely safer than defaults, albeit more difficult if you decide to do it to your non-booted volume). But hopefully these options, somewhere down the road, will help someone (after all, that’s why we post this kind of thing, right?!?!).

July 27th, 2010

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

  • Bruce Brown

    Re: The first figure in this article:

    The first figure in the article on this web page appears to be the wrong figure–the figure shows the guest account selected. The figure doesn’t show the Allow user to administer this computer checkbox anywhere. It should show a (non-guest account) user with the Allow user to administer this computer checkbox both visible and checked-off.

    Also, the figure seems to be too small; text in the graphic is too blurry. I suggest making the replacement figure at least 50% bigger so that the text won’t blur so much when it’s converted to a graphic.

    • Corrected the issues in the figure. Replaced it, made it bigger, but that made the text more blurry I think. If you click on any of the figures on my site then they will open full resolution as uploaded. I’ll try and grab a better image handling plug-in for WordPress next time I have time to do updates to the site. Thanks a ton for pointing this out. And as for the em-dash issue, I’ll try and figure out a better way to insert code. I just noticed that a few days ago when someone commented that I needed to use two instead of one…

  • Bruce Brown

    Re: WordPress merging two hyphens:

    It’s common to type two hyphens in a plain-text file as a substitute for an em-dash character (which doesn’t exist in plain-text ASCII in any sort of standard way). Some word processors (e.g., Microsoft Word) will, on the fly, translate two consecutive hyphens to a single em-dash character, as you type in the hyphens. I’m no WordPress expert, but I’ll bet that that’s what is happening to you. Note that, in the command line immediately below the bolded note, the two hyphens got replaced with an em-dash, not with a single hyphen character, as WordPress did in other command lines on this page.

    Now you just need to determine how to override this WordPress behavior; I’ll bet there’s a way to do that. In Unix, it’d be easy–you’d just quote each hyphen by preceding it with a backslash character, or you’d enclose the two hyphens inside a pair of single quotes, or something similar. I’d guess there’s a way to turn off this behavior in WordPress, or to override it, but I don’t know for sure how to do this. Have you, for example, tested to see what happens to an Unix command line with THREE consecutive hyphens in it, after it’s been posted to a WordPress blog?

    It’s also possible that two consecutive hyphens in WordPress signals that the following text is some sort of command, such as a formatting command, or something. But, I’d bet the hyphens-to-em-dash theory is the more likely explanation.

    In a similar vein, folks entering English prose text into a plain-text file sometimes use a lowercase letter “o” as a substitute for a bullet character. The bullet character also doesn’t exist in plain-text ASCII in any sort of standard way. Microsoft Word (and probably other programs) will translate the string consisting of o at the BEGINNING of a new text line into a bullet character with some sort of standard whitespace characters surrounding the bullet.

    These conventions serve both as typing shorthands for speed and convenience when keyboarding, and as a way to translate pre-typed plain-text ASCII files into word processing files, since word processing files allow characters that are used in typeset documents, such as bullets and em-dashes, whereas plain-text “flat” ASCII files do not.

  • Ted Kidd

    Hi Charles,
    If you use the merge command instead of append, it will accomplish the same thing and not add duplicates to the group membership (if the command is accidentally or intentionally run more than once against a user). You can run it in a login script this way too.