Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6: Make a temporary Administrator account UNIX
Snow Leopard only hintMy department runs a large enterprise level network of managed Macs in a rapidly growing school district. We use a software deployment solution to push out all district software and we use Workgroup Manager to effectively manage user environments. Like most enterprise-level networks, nearly all of our staff users are non-admin users with mobile accounts.

Rarely there are times when our users need to be an admin user for a limited amount of time: (to install print drivers for odd-ball home printers, joining an unusual secure wireless network, running an obscure web conferencing app, etc.).

It's easy to make a mobile user an administrator through System Preferences, but it's not so easy to remember to remove the admin privileges. While you can set a calendar reminder, invariably the user is offline when your reminder pops up and then a day, or two, or a month or more passes and then it's forgotten.

There are solutions that use login hooks for managed users, but those require your users to actually login, logout, and then log back in. It also requires your server administrator to move users to an admin group and then back out. Recently, I worked up a solution using the Unix at command. It is surprisingly simple and can be sent directly to a computer using Apple Remote Desktop, or through ssh.

Simply edit the following to meet your needs and send the commands through ARD as root:
# Replace shortname below with the shortname of the user you want to make an admin
/usr/sbin/dseditgroup -o edit -a shortname -t user admin

# This line enables the atrun utility to make OS X run Unix commands queued by the  at  command
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist

# Replace shortname below with the shortname of the user you want to
# remove admin privs from in 1 day
echo "/usr/sbin/dseditgroup -o edit -d shortname -t user admin" | at now + 1 day
If the computer gets put to sleep, shutdown, or restarted during the schedule time, the command will run the next time the system is active.

Please note, you can look at the man pages for at, and see the flexible formats for customizing the command to run whatever time you feel is reasonable. Another thing to consider, is modifying the commands above to schedule the enabling of administrator privileges. By doing so, you could, for example, allow someone to be an administrator for a very limited window of time.

[crarko adds: I haven't tested this one.]
    •    
  • Currently 4.57 / 5
  You rated: 4 / 5 (7 votes cast)
 
[11,464 views]  

10.6: Make a temporary Administrator account | 11 comments | Create New Account
Click here to return to the '10.6: Make a temporary Administrator account' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Make a temporary Administrator account
Authored by: ehemmete on Mar 31, '11 12:23:50PM

Nice use of at!
Just to be sure people are aware... if you do this for a user, and they know what they are doing, they can remove the demotion back to a standard user. Any admin can get root access to the computer and therefore they can unload the launchd item.



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: macsadmn on Mar 31, '11 07:55:45PM

Thanks for the compliment on the use of the at command. As a side note, we usually don't tell users that they're being set up as an admin. We just tell them to type their username and password when prompted. Some of them know what's going on, but many do not. Most users aren't out to do bad things; they just want things to work :-)



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: afingal on Mar 31, '11 01:09:48PM

This seems a little dangerous. You have users who you made non-admins for a reason. It sounds ripe for these people to come up with excuses why they need admin access and then do whatever they want. What stops them from creating a local admin account for themselves while they have the chance?



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: ccase on Mar 31, '11 01:52:12PM

Or just deleting the at command.



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: macsadmn on Mar 31, '11 07:18:53PM

I agree with both of you. You are absolutely correct; this can be dangerous. But, that very point is precisely why I make every attempt to find solutions that does not involve giving a user admin rights, before resorting to something like this. Once a user is an admin, there's no stopping them from whatever they want to do. With that said, there's the ideal world where no regular user ever needs administrative privileges - and then there is reality. Honestly, I am very hard-nosed about giving anyone admin rights, but there are times that it is unavoidable without going and physically sitting besdie a user and typing in the admin password. If anyone looks at this solution as a something they should use often, then they likely need to reevaluate why they even bother with non-admin accounts.



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: tom larkin on Mar 31, '11 04:31:53PM

I also am a sys admin for a large deployment of macs for a school system. We have 6,000 macbooks and 1,500 to 2,000 mac desktops. I would never give a managed user admin rights, because it tosses out all security I have in place right out the window. If something needs to be pushed out, I do so over the network with client based software, furthermore if it is something the user needs to trigger I accomplish this with self service policies (Casper Suite), but the same thing could be accomplished with things like radmind, munki, and other free solutions that are client based and run as admin under-the-hood. That is of course if you cannot afford to buy a license of Casper or Absolute. The good thing about the pay for Enterprise tools is that they just work, where the open source ones are more like roll your own.

I have been in bad situations like this before because of politics and have had to do things like temporary admin rights, but it never did as much good as it did bad with managing my clients at work.

I fail to see an actual example why you need to give managed mobile users admin rights. If they need to be admin there should be a valid reason, installing printer drives is not really a reason I would call valid. If a user takes their laptop off campus and uses it at home, and really needs admin rights for a valid reason we would explore that. As far as drivers go, I package all the most up to date printer drivers in my image, and end users can execute software update via self service themselves.

-Tom



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: chadvonnau on Mar 31, '11 07:04:12PM

I've had the opposite experience. I'm rather permissive with giving out local admin rights and have yet to be seriously burned. At the end of the day, being a sysadmin is all about having happy, productive users. I'd rather sacrifice security to have a better relationship.

I've only worked in places with 300 users or less, though. 9000 is a different ball game.



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: tom larkin on Mar 31, '11 07:28:34PM

If I didn't work in academia it would be a different game all together. Adults get fired when they tamper with company equipment maliciously, students don't have much to lose rather than some discipline like suspension. I'd love to give everyone admin rights, if I could be sure that it wouldn't blow up in my face. At one point in time we let non IT staff control some computer labs, and passwords got compromised and students installed Quake 3 on every PC in the lab.

Don't get me wrong though, I totally 100% agree with you. I want my users to be happy and have the best experience, but unfortunately teenagers like to cause trouble and will do things like load video games on every computer they can.



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: macsadmn on Mar 31, '11 07:47:49PM

As mentioned, we also use a software deployment solution. In my opinion, it's the only way to go when you have large deployments. We too push out the most popular printer drivers, but I was merely giving an example of where someone could use this solution. There is occasionally the odd all-in-one printer that comes with "special" software that we don't care to make a software set for.

More applicably, one example that happened to me recently involved one of our district administrators attending a demo/trial on a remote system. The demo required him to run a Juniper web VPN connection and then RDP to a "localhost". Each time the VPN connection was made, it required an admin password to modify something dealing with java. After the 3rd time of being interrupted from my work and running down the hall to type in my credentials, I figured it was time to work out a reasonable solution :-)

Another example I've seen deals with wireless. I've rarely seen this happen, but we do have a neighboring University that has an unusual wireless system that prompts our teachers for an admin password to install something in order to join. Since we allow our staff to use their computers for personal-professional use, this helps with that scenario.

As for students... we have never used this solution for a student account and I cannot see us ever doing that, not even in a 1-1 deployment. With that said, we all know that once a user has a computer in his/her possession and physical security is breached, then they can bypass all security with some easy to find tools and a little reading on the web :-)



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: tom larkin on Mar 31, '11 07:57:15PM

Oh yeah trust me, I have a system of catching hackers because anytime you give a teenager all the time in the world, Google, and their laptop off campus, they will eventually find away around your security. I have a script that checks for admin membership and if so flags the system for abuse. It is impossible to stop someone with physical access, but it is very possible to play detective and catch those who hack machines.

We actually give all our staff local admin accounts anyway. So they have admin rights to their machines, we just don't make their account an admin so they aren't always logged in as an admin. Some directors and stuff are just plain stand alone machines, which aren't even imaged or bound to server. We just load the Casper client on them so they can get software.

I just don't like the concept of temporary admin rights. I think either the user needs it, or they don't. That is all. Thanks for the tip.



[ Reply to This | # ]
10.6: Make a temporary Administrator account
Authored by: marook on Mar 31, '11 10:49:55PM

To solve your Printer problem, add the Staff group to the 'lpadmin' group. Then normal users are allowed to add and remove printers, but nothing else.

We have a PKG that does so, we normally add to Deploystudio workflows.. ;-)

---
/Marook



[ Reply to This | # ]