Network Account as Local Admin

Hopefully an easy question, is there a way to specify a network account in WGM that will act as an administrator account on a local machine? Ideally I'd like to have network account that I could log into that would give me administrator access to the machines on the network (that I've joined to that directory.

Unfortunately, I think the answer is no. There is a way of doing it, but it's a bit roundabout.
The account that you want to have local admin rights will have to be set up in WGM as a Mobile Account (in WGM select the relevant user, select Preferences, Mobility, Account creation/Creation tabs set to "Create mobile account......." = Always).
Sorry if I'm saying stuff you already know, but always best to start from the basics.
Mobile Accounts means the user account is copied from the server to the local machine and stored locally. It is then updated to and from the server at regular intervals. Once the account exists on the local machine, you can then go into System Preferences/Accounts, authenticate as the current local admin and select the "Allow user to administer this computer" check box.
The trouble is that you then have to do this for every computer you intend to manage, which is a bit of a pain.
So in summary, yes, it can be done, but probably considering the amount of work involved (depends to a certain extent on the number of machines you are administrating), it's almost easier to have a standard local account on each machine, which is the way I do it on my network.
You never know, there may be another way of doing it like you want, but I've never come across it or heard of it being done. If anyone out there knows any different, please feel free to enlighten us both, lol.
Message was edited by: MattLucas1505

Similar Messages

  • How do I make a network account a local admin?

    I'm using Admitmac to get on a windows domain and every time I try to change the current logged in network account to be an admin the setting never stays, just reverts back to a network account. What do I need to do?

    In ADmitMac v3.2.2, there is a configuration setting to allow a user or group of users local administrator privileges.
    Please follow these steps:
    - Open Directory Access (/Applications/Utilities/) and unlock if necessary
    - Double-click ADmitMac
    - Double-click the domain name
    - Click the Admin tab
    - Check the "Map admin group to:" checkbox, and click "Browse..."
    - In the "Name" field, enter part of a group name or a domain user's account name, and click "Find"
    For example, "Domain Users", "Domain Admins", or "[email protected]"
    - From the given list, select the desired name and click "Add"
    - Click "Done", quit Directory Access, and Log Out
    To verify this setting:
    - Log in with a domain account
    - Open System Preferences and click the Accounts pane
    - The account listed under "My Account" will be the domain account
    - The item "Allow user to administer this computer" should be checked
    NOTE: In Mac OS X v10.3.x, this option is under the "Security" tab.

  • Network accounts with local home folders

    First of all sorry for my bad english.
    I want to obtain network accounts with local home folders.
    I have found this post very interesting to solve my problem.
    http://discussions.apple.com/message.jspa?messageID=2140595#2140595
    Following this indications I have obtained it but I dont see the Public folder of any home folder from the network.
    How I can solve this? I must share the Public folders manually? How? I have proven with SharePoints 3.5.4 and I have not obtained it.
    Thanks
    iMac Intel Core Duo   Mac OS X (10.4.6)  

    Hi
    Clients should be bound to Open Directory and be using the OD Master for their DNS. Launch WorkGroup Manager and authenticate to the LDAP node. If you have only a few Users you can do it at that Level if hundreds do it at Group Level. Select Preferences > Mobility. It's fairly obvious thereafter.
    After the home folder has been created you can make that account a local administrator if you wish.
    This assumes the Server has been configured as Advanced. Please don't take this advice if you've used anything else.
    Tony

  • Network User with Local Admin Privileges?

    I have a small network (around 25 clients total) that was setup prior to my arrival. Each client has its own unique local admin (each machine was setup by the individual user) and it's become somewhat daunting to support them.
    All of the machines are connected (but not specifically bound) to an Open Directory and each is accessible via Remote Desktop, however I cannot push software updates, etc. without local admin privileges.
    I'd rather not create an account on each machine, nor do I want to completely lock down each computer (I'd like them to still have the flexibility to be admins so they can install apps, etc.)
    Is it possible to authenticate against OD and obtain local admin privileges?

    Yes.
    You can wipe all account information and then recreate a common initial admin account. This will make administration far easier as all machines will have the same admin username/password combination. Next, bind all of the systems to the domain and create domain accounts for all users on the server (likely already exist). Log in as the domain accounts and migrate permissions to domain ids. Finally, promote the user to the local admin group through System Preferences > Accounts on the workstation. You must enable the account as a mobile account in Workgroup Manager first. If you do not, the account will not cache to the workstation and you will be unable to add it to the admin group.
    Also, in a workgroup of 25, I would recommend rethinking the decision to grant local admin access to end users. This is asking for trouble as you will have no control over when updates are applied or even if they are. In theory (and probably in practice), you will have 25 completely different machines configurations. This is far harder to manage and troubleshoot than 25 systems with different admin accounts.
    If you must provide some level of autonomy, while not trivial, you might want to consider modifying /etc/authorization and granting limited admin rights to the users.
    Hope this helps - congrats on the opportunity

  • Giving an OD Network User/Group local admin rights.

    Is there a way to manage workstation admin rights from the server?
    I ran into a problem with Lightroom that requires admin privileges to change the program preferences. We have alot of graphic art students with roaming profiles, spread out across 5 labs, that need to make this change. I would like to be able to add a group or all network users to the local admin group, for a few days, so the students can make the changes.

    This works on 10.5, not sure about 10.6.
    As root on the client.
    Upgrading legacy group for local admin group - this is from 10.4 days, not sure if you still need to do it.
    dseditgroup -o edit -f n -t group -n /Local/Default admin
    Nest OD group in local admin group
    dseditgroup -o edit -a DirectoryAdminGroup -t group -n /Local/Default admin
    Gen

  • Add domain account in local admin in unattended

    I can use the following in unattended.xml to join user1 into domain1. Is there a way to be able to add user1 into local admin group in unattended.xml?
        <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <Identification>
                    <Credentials>
                        <Domain>domain1.com</Domain>
                        <Password>user1password</Password>
                        <Username>user1</Username>
                    </Credentials>
                    <JoinDomain>domain1.com</JoinDomain>
                    <MachineObjectOU>OU=Users,DC=domain1,DC=com</MachineObjectOU>
                    <UnsecureJoin>false</UnsecureJoin>
                </Identification>
        </component>

    Yes you can, check this:
    http://technet.microsoft.com/en-us/library/cc749246(v=ws.10).aspx

  • How to move iMovie 11 project from network account to local HD ?

    Users have their home folders on the network.
    iMovie 11 doesn't seem to like (!?!) network drives so I'd like to reassign the default (project) location on the local HD while having network identity.
    Help.

    Copy the iMovie projec file, xxxxxx.iMovieProject to the other Mac and put it in the Movies folder.  Open it with iMovie, use the Share ➙ Media Browser menu option to get it out of iMovie so iDVD and import it from it's Media/Movies pane.
    Follow this workflow to help ensure the best quality video DVD:
    Once you have the project as you want it save it as a disk image via the  File ➙ Save as Disk Image  menu option.  This will separate the encoding process from the burn process. 
    To check the encoding mount the disk image and launch DVD Player and play it.  If it plays OK with DVD Player the encoding was good.
    Then burn to disk with Disk Utility or Toast at the slowest speed available (2x-4x) to assure the best burn quality.  Always use top quality media:  Verbatim, Maxell or Taiyo Yuden DVD-R are the most recommended in these forums.
    OT

  • Service accounts adding to Local admin group

    Hello Everyone,
    What are the risks with adding SharePoint service application service accounts to local admin group.
    I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
    I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it. 
    Please let me know if you aware of risks.
    Thanks S

    The basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
    compromised, there is the possibility that the entire server would be compromised.
    Clearly, this is not a good situation.
    Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
    If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
    If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Running Desktop software without local admin rights

    Is it possible to run Blackberry Desktop Software without the user having local admin rights? I have a number of users who have work BBs who need to use BDS, but I am in the process of correcting my predecessor's decision to give everyone local admin rights.

    Hello gheatley,
    Welcome to the Support Community!
    The BlackBerry® Desktop Software will need to be installed in a Windows® user account with local admin rights, but it can be used from within other user accounts with more limited permissions.
    Thanks.
    -FS
    Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
    Be sure to click Kudos! for those who have helped you.
    Click Solution? for posts that have solved your issue(s)!

  • Migrate a Local User Account to a Network Account Shell Script

    http://support.apple.com/kb/HT5338?viewlocale=en_US&locale=en_US
    If you are looking for an easy way to migrate local users to network users without losing data, then try this script.
    Follow steps 1-10 in the support link above before running this script.
    1) Open /Applications/Utilities/Terminal.App
    2) Type vi myscriptname.sh
    3) type "i" to edit the document
    4) Copy and paste the following text in the terminal window
    #!/bin/bash
    echo "Go to http://support.apple.com/kb/HT5338?viewlocale=en_US&locale=en_US"
    echo "Complete steps 1-10 before continuing"
    echo -n "Enter 'USER' and press enter:"
    read USER
    echo -n "Enter 'SERVER' and press enter:"
    read SERVER
    sudo scp -Epr /Users/$USER root@$SERVER:/Users/
    sudo mv -f /Users/$USER /Users/$USER.old
    ssh root@$SERVER sudo chown -R $USER:staff /Users/$USER
    5) hit (ESC) then colon : and type wq! and hit return to save the document
    6) In Terminal type: chmod +x myscriptname.sh
    7) in Finder, Right Click or Control+Click myscriptname.sh and select open with
    8) Select "Show All Applications" and Navigate to /Applications/Utilities/terminal.App
    9) in Finder, Right Click or Control+Click myscriptname.sh and select get info / Open with and click "Change All" to open all .sh files in Terminal
    10) Double Click myscriptname.sh
    11) For USER enter the name of the network account
    12) For SERVER enter your server name (server.example.com)
    13) Enter the Admin Pass for the Local Machine, Then the Server, Then the server again
    14) The user folder will be renamed to user.old (bob.old)
    15) When you login as the network user account OS X Server Will copy your data to the local machine with Portable home directories
    16) Once you verify all the info is there you can delete the user.old folder from the /Users/ folder (bob.old)

    replace sudo scp -epr with sudo rsync -auvth if you do not want to waste space copying hardlinks

  • Is there a way to merge/migrate my local home folder to a network account

    My family has a number of Macbooks and a couple of iMacs and we've been thinking we'd like centralized storage for our media collection and other files and I'd like an easier way to deal with these machines to keep them updated, etc.  Also we swap laptops and desktops depending on who needs to do what at a particular moment.  Is there a way to migrate an existing home folder on a macbook to an account on the server.  What I would like to be able to do is to be able to log into any computer in my home and have it look like "my" computer, with files, settings etc...  Since I am new to the server world I am confused by the terminology re: network accounts and mobile accounts.  Is there a good guide someone could recommend to get me started.  Thanks.

    Hi Yodalogger,
    I hope you have yourself sorted.  I've been through alot of pain with lion server, it's very buggy at best.
    Your best bet is SolidWood's suggestion of network accounts if you are constantly on the same network.  I use this at home and it works very well.  For simplicity, you can use WorkGroup Manager for this as it's more intuitive!
    If, you need a mobile account, this is what I did.
    I migrated local macbook accounts to server machine (migration assistant).
    I renamed the /User home folders on macbook to _backup.  For safety.
    I deleted local accounts from macbook.  Keep your _backup home folders!  Also, you will need to have a local Admin account in place.  Make sure you do not delete it.
    On Server.  You will have local accounts created for all your migrated macbook accounts.  Just remove the accounts in system preferences but ensure you leave the /User home folders in place when prompted.
    On server. I created the new users (old mackbook accounts) and groups in the server app.  This doesn't create or overwrite your existing home folders.  So go ahead and name them exactly the same as before and make sure the accounts match your home folder's names.
    On server, using profile manager, I set up mobility etc., for the device.  That is, you need to enroll your macbook with the server and configure services for it in profile manager.  You can add a placeholder for this in profile manager to configure stuff.
    A handy tip to alleviate all the automatic push settings pain and heartache is to set the general payload to manual.  You can then wip up the profile manager from your macbook to install the profiles manually.  (easily done).
    On Macbook, login with local admin account.
    On Macbook, go to system prefs and accounts, set up your open directory stuff in the login options.
    On Macbook, log out of admin.  Back at the login screen, you should see your admin account and 'Other.'  Give it a few minutes or so to figure this out.  It needs to contact the server etc. for info.
    Once you have 'Other' click on it and login with one of your new network accounts.  This will log you in as a network account - you should see all your usual settings that previously existed on your macbook when it was a local account.
    At this point, you whip up profile manager.  http://yourserver.local/profilemanager  Change yourserver to the name of your server.
    Login to profile manager with your admin account.  I do this as I will be downloading a few profiles that only admin has access to.
    So, you need to download a trust profile, your device profile, and a profile for remote management if you have set this up.  You may have seen various download buttons knocking around the the interface.  In downloads double click these to install (if it doesn't do this automatically).
    Log out of everything.
    Log back in with one of your network accounts.  This time you should be prompted to create a mobile account.  Say yes and let it sync your home folders from server to macbook.
    Once each mobile account is created, you can then further define user/group settings in profile manager.  You download these by logging into http://yourserver.local/mydevices as the user and download the appropriate settings.
    I think thats it.  Sorry, if its not detailed enough - I'm presuming you know yourself around a mac!  I have to say the process is straightforward but Lion Server is not.  I do not get consistent results with it and I'm still trying to tame it... 
    By far the easiest option is network accounts.  Mobile accounts need more attention.
    I hope this helps (and anybody else!)
    Paul.

  • How to Reset Password of User while not connected to Domain using Local Admin Account

    How to Reset Password of User while not connected to the Domain using Local Admin Account
    (I have the use of a local admin account), and I want to help a user reset their password who has logged in the PC and had their credentials cached, but forgot this password. 
    In Local Admin Account :
    When I go to Control Panel, users, users, manager user ; I cannot see any users in this window except the local admin account, and, so I cannot reset a user password this way.
    When I go to lusrmgr.msc, then users ; the local admin account will display only. 
    If I go to command prompt and type "net user", this will not display any users who have logged in to the computer, and so I cannot use "net user" to reset a password.
    I don't want to use any disks, 3rd party programs, or create a VPN connection to the domain.  I just want to help a user who calls in and forgets their password.

    Hello Keith,
    I know this is an old thread but I'm trying to better understand how I could change the domain password while not on the network. What I'm getting from your post is that you:
    1. Create a local user account (not a domain user)
    2. Login with that local user account
    3. Connect to the VPN while logged in as a local user
    4. Log out of the local account and login with the domain credentials
    Now, my question is based on the assumption that the password created on the local account is the same password that one will use to login to the domain account? Also, is the local user account the same as the domain account?
    Thanking you in advance!

  • Make OD accounts Local Admin!!!

    Wondering if anyone might know how to do this if possible. Would like to take
    a OD network account and give that user admin privileges on a particular station.
    This is possible on the Windows side of the house, but i don't see a way to do
    it on the Mac side. The only thing i can see is to make an account an Open Directory administrator which is not something i want to do.
    Thanks in Advance!!!

    Hi
    Launch WorkGroup Manager and create a new Computer List. Don’t be tempted to use the default ones, call it something meaningful. Click the diaresis button (the one with 3 dots) and search for the client you are interested in, it should show itself in the discovery window. If you have given the client a unique name in the Sharing Preferences Pane then that should display itself making it easier for you to pinpoint the client. You could also add the desired client’s MAC address manually (which is actually a better way to do it). You can do this a number of ways but if you are sitting at the server and you know the client’s IP address just ping it using terminal. Let it ping a few times and then stop the ping with control+c, then issue the arp -a command. The resulting return will show you the MAC address against the IP address.
    One you have added the client to the computer list you can select Access and restrict or allow access by Group. You get two options: "All Groups can use the computer" and "Restrict to groups below". Add a group that is populated with users that you want to be able to use that client. If you create a local admin account with the same name and password as exists in the LDAP node that should tie it up even further.
    Its possible that this will work.
    Tony

  • Screen Sharing Broken for Network Account Admins Mac OS X Server

    Re: OS X 10.8.4, Server.app 2.2.1
    After replacing a failed Airport Extreme -- and the resulting changes in server IP address -- Screen sharing is now broken for "Network" account administrators. "Local" adminstrators can screen share successfully.
    When logging in as a Local Admin, the System Log contains a single entry:
    Authentication: SUCCEEDED :: User Name: localadmin :: Viewer Address: 10.0.1.6 :: Type: DH
    When logging as a Network Admin, a similar line appears:
    Authentication: SUCCEEDED :: User Name: testnetwork :: Viewer Address: 10.0.1.6 :: Type: DH
    followed by screen-fulls of other log messages, eventually ending -- a minute or two later -- with:
    screensharingd[77693]: uid 1034 not found
    screensharingd[77693]: unable to get width and height of display.
    at which point the client sees a "Error: Network connection lost." alert. 1034 is the UID of "testnetwork", as seen in
    dscl /LDAPv3/127.0.0.1 -list /Users UniqueID
    So apparently, Network users are authenticated, but screensharingd cannot find the user.
    changeip -checkhostname returns "success". Just to be sure, I  "Updated the Host Name" as suggested by the "Network Configuration Has Changed" alert in Server.app -- problem remains.
    How does one debug this? Are there more comprehensive debug logging options available for screensharingd or login window? Anyone else seen this problem?

    Linc: thanks for your inquiry.
    Here are more steps I've taken to solve this problem:
    1) From a Time Machine backup to a test partition, I restored the server from before the failure of the base station and found that the login problems were present then.
    2) On yet another test partition, I created from scratch a new OS X Server. Added a local administrator, and a network admistrator and discovered the same problem: network administrators cannot screen share, although in this case, they are simply unauthorized.
    Using dscl, things look OK: there is a /Local/Default/Groups/com.apple.access_screensharing that lists only the admin group, and the admin group contains networkAdmin.
    Furthermore, I can log in as the networkadmin from the login window, as "Other".
    Furthermore, I can ssh into the server using the networkadmin credential.
    I used odutil to boost the logging OpenDirectory log level. The logs are very verbose, but to my eyes, it looks like OD recognizes the networkUser, but screensharingd fails to authorize. See logs below.
    Can someone confirm that screen sharing from network admin accounts works at all? Is there a way to elevate screensharingd logging to find out more about why it rejects network admins?
    TIA
    /var/log/opendirectoryd.log
    4643.65273.65277, Module: search - ODQueryCreateWithNode request, NodeID: 3D4241C6-FAFF-4816-8F7C-B3E0ED6F56A6, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): networkadmin, Requested Attributes: dsAttributesStandardAll, Max Results: 1
    4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: search - queuing request to connection - '/LDAPv3/127.0.0.1:ldap:406935A6-9ADB-413A-A82B-7F30F4E9E5A1'
    4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RecordName' for ambiguous name query
    4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - adding 'dsAttrTypeStandard:RealName' for ambiguous name query
    4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=shadowAc count)(objectClass=apple-user)(objectClass=extensibleObject))(|(uid=networkadmin )(cn=networkadmin)))', baseDN - 'cn=users, dc=testserver,dc=local'
    4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - found result - 'uid=networkadmin,cn=users,dc=testserver,dc=local'
    4643.65273.65277, Node: /LDAPv3/127.0.0.1, Module: ldap - ODQueryCreateWithNode completed, delivered 1 result
    4643.65273, Node: /Search, Module: search - ODQueryCreateWithNode completed, delivered 1 result
    4643.65278 - Client: screensharingd, UID: 0, EUID: 0, GID: 0, EGID: 0
    4643.65278 - ODNodeRelease request, NodeID: 184CFA31-1EB8-4384-B9CA-D04A93736CB1
    4643.65278, Node: /Search - ODNodeRelease completed
    clearing all node authentication connections
    /var/log/system.log:
    screensharingd[4665]: Authentication: FAILED :: User Name: networkadmin :: Viewer Address: 10.0.1.6 :: Type: DH

  • Need local PHD user account to have admin privileges

    We are starting to use PHDs and have given our teachers admin level privileges so they can install their own software, have access to certain system prefs, etc. When connected at school to the network, all works well. When at home, they do not have admin privs. Is there a way to make their local account part of the local admin group, on a global basis, so that we don't have to spend the time to go to every machine again.

    SYSDBA should never be used for anything other than backups and patching.
    Which of these two activities do you think appropriate for a user account?
    My answer is the same as Sybrand's. What you are asking is totally inappropriate.
    Far better to tell us specifically which actions you wish to perform and we will
    help you with the specific permissions you require.

Maybe you are looking for

  • Tomcat Jasper-Unable to rename class file

    I keep getting the following error, whenever i first get concurrent hits on a JSP page under tomcat. Successive concurrent hits are then ok but sometimes only. Can any one help me out in solving this problem. Thanks... The error is shown below as fol

  • PO through email

    Hello gurus, I'm having trouble with e-mail setup for PO,s. i don't what partner roles need to be maintain, i don't know what requirement need to be maintain in schema. i really need help from expert. please help me out so i can set this up. Thanks i

  • Metadata Options

    I recently had problems with my computer and had to reinstall Photoshop Elements 9. I noticed that I no longer have the ADVANCED OPTIONS in the Photo Downloader in order to Aplly Metadata, so I uninstalled it and reinstalled it again but with no luck

  • Different 'types of IP's

    Hello Guys, In one of setup of oracle installation i seen physical ip and package IP for same database servers (os-solaris,oracle 10g/rel2 ) what exactly is package ip ,why it is used,how it is different from physical and logical ip i observed if i u

  • Open new tab & there's a strange browser

    I have my homepage set to Google. Just getting started this morning and whenever I click on a new tab, I get this browser instead. I've checked and Google is still set. When I open Firefox, Google comes up but not when I click new tab. Lab.search.con