The /etc/authorization file in Mac OS X can be used to control access to the various panes of the System Preferences amongst other things. It's used by some of us Mac Sys Admin's to give Standard Users access to System Prefs panes that only admins could otherwise unlock. It can also be used in the reverse to lock down panes you don't want users messing with. An example by Apple was about allowing non-admin users to change the time zone setting. Often the panes can't be controlled to the exact level you may want via MCX (Local or Managed) or defaults write/plists. Nor do you want to give users admin rights in a large business/university setting.
With 10.6 and now 10.7 the following Preference Panes are locked by default. Meaning you need an admin username and password to unlock them: Security & Privacy, Print & Scan, Network, Sharing, Users & Groups, Parental Controls, Date & Time, Software Update, Time Machine and Startup Disk. As a 'Standard User' you can't unlock these panes.
In 10.6 we could do the following to the /etc/authorization file, to give a standard user semi-admin access to the Preference Panes.
<key>system.preferences</key> <dict> <key>allow-root</key> <true/> <key>class</key> <string>user</string> <key>comment</key> <string>Checked by the Admin framework when making changes to certain System Preferences.</string> <key>group</key> <string>everyone</string> * Changing this from 'admin', to another local group. i.e. staff, everyone, or a custom group you created yourself. <key>shared</key> <true/> </dict>
<string>__APPNAME__ 正在嘗試解鎖"安全性與隱私"偏好設定。</string> </dict> <key>group</key> <string>admin</string> ** Change admin to another local group that your user is in. i.e. staff, everyone etc... <key>shared</key> <false/>
To unlock the Systems Preferences in General so all changes below will actually work you first need to edit this top level key, system.preferences, and adjust it as above changing it to a local group, i.e. staff. Save and reboot.
I certainly don't recommend unlocking all the Prefs panes, as it may give users more access than you want or have unintended side effects. But I will document them all in case needed.
To Unlock the Security & Privacy Pane, search for the following key: system.preferences.security and adjust it as above, then save and reboot. This alone will unlock the pane, but you still won't be able to get into it. Try logging in as a Standard user and unlocking it, it will work the first time but you'll be prompted again at which point it won't accept your password. This is because it's actually trying to unlock the FileVault tab, if you cancel out of the second credential prompt and go back in you'll get this slightly different prompt second time round.
First time round it was 'is trying to unlock Sharing preferences', second time its 'modify an encrypted disk.' So go back to the etc/authorization file and search for this key: com.apple.DiskManagement.reserveKEK.
<dict> <key>en</key> <string>__APPNAME__ is trying to modify an encrypted disk.</string> </dict> <key>group</key> <string>admin</string> *Change this to another local group: staff, everyone <key>shared</key>
</dict> <key>rule</key> <string>root-or-admin-or-authenticate-admin</string> *Change it to authenticate-session- owner-or-admin </dict>
Mac OS X Hints
http://hints.macworld.com/article.php?story=2011081907185974