Jul 182012

Sometimes you might want to provide local admin permissions to an Active Directory user.

This can be archived by different solutions:

Automatically obtain the settings from the AD using the Directory Utility

Add an AD group to the local admin group (as described here)

sudo dseditgroup -o edit -a "DOMAIN\group name" -t group admin

Add the domain user to the local admin group

sudo dseditgroup -o edit -a usernametoadd -t user admin

More information can be found at the “Managing OS X Blog

PS: Maybe you are also interested in how the change the ID of a user the right way.

  2 Responses to “OS X: Add local admin rights to an (Active) Directory user”

  1. Good post. I been searching around and I guess there is no way to do this automatically by adding MAC device in AD to security group. Like how you would do in Windows device when you want to add domain group to local group.

    Love to hear from you.


    • Hi Dat,

      I think the easiest way would be to add a small script to your master deployment image that runs on each startup and that adds all AD or LDAP users of a given group (like Local Mac Admins) with a special flag (like the MAC of en0) to the local admin group.

      I don’t think there is any automatic way to do that, however you may take a look at Casper

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>