10.6: Make a temporary Administrator account

Mar 31, '11 11:46:00AM

Contributed by: macsadmn

Snow Leopard only hintMy department runs a large enterprise level network of managed Macs in a rapidly growing school district. We use a software deployment solution to push out all district software and we use Workgroup Manager to effectively manage user environments. Like most enterprise-level networks, nearly all of our staff users are non-admin users with mobile accounts.

Rarely there are times when our users need to be an admin user for a limited amount of time: (to install print drivers for odd-ball home printers, joining an unusual secure wireless network, running an obscure web conferencing app, etc.).

It's easy to make a mobile user an administrator through System Preferences, but it's not so easy to remember to remove the admin privileges. While you can set a calendar reminder, invariably the user is offline when your reminder pops up and then a day, or two, or a month or more passes and then it's forgotten.

There are solutions that use login hooks for managed users, but those require your users to actually login, logout, and then log back in. It also requires your server administrator to move users to an admin group and then back out. Recently, I worked up a solution using the Unix at command. It is surprisingly simple and can be sent directly to a computer using Apple Remote Desktop, or through ssh.

Simply edit the following to meet your needs and send the commands through ARD as root:

# Replace shortname below with the shortname of the user you want to make an admin
/usr/sbin/dseditgroup -o edit -a shortname -t user admin

# This line enables the atrun utility to make OS X run Unix commands queued by the  at  command
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist

# Replace shortname below with the shortname of the user you want to
# remove admin privs from in 1 day
echo "/usr/sbin/dseditgroup -o edit -d shortname -t user admin" | at now + 1 day
If the computer gets put to sleep, shutdown, or restarted during the schedule time, the command will run the next time the system is active.

Please note, you can look at the man pages for at, and see the flexible formats for customizing the command to run whatever time you feel is reasonable. Another thing to consider, is modifying the commands above to schedule the enabling of administrator privileges. By doing so, you could, for example, allow someone to be an administrator for a very limited window of time.

[crarko adds: I haven't tested this one.]

Comments (11)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20110330114605936