« Firefox global extensions
Payload-free package template »

Add a user to the admin group via command line 3.0

One of the more visited articles on this site is several years old – this one on adding a user to the local admin group.

I thought I should update that information since it is somewhat out of date. Apple’s preferred and recommended way to add a user to the local admin group is to use dseditgroup, like so:


/usr/sbin/dseditgroup -o edit -a gneagle -t user admin

This -a(dds) “gneagle”, which is an object of -t(ype) “user”, to the group “admin”.

To delete a user from the local admin group:


/usr/sbin/dseditgroup -o edit -d gneagle -t user admin

You can also use dseditgroup on a network directory service if you have admin credentials for the directory server:


dseditgroup -o edit -n /LDAPv3/ldap.company.com -u dsadminusername -p -a gneagle -t user group_on_network_directory

This will prompt you for the dsadminusername’s password interactively. You can include the dsadminuser’s password like so:


dseditgroup -o edit -n /LDAPv3/ldap.company.com -u dsadminusername -P dsadminuserpassword -a gneagle -t user group_on_network_directory

dseditgroup can do many other things, like create and delete groups, add nested groups to an existing group, and check membership of a given user for a given group.

man dseditgroup for more info.

Explore posts in the same categories: DirectoryService, OS X

This entry was posted on January 14, 2010 at 9:58 am and is filed under DirectoryService, OS X. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.

12 Comments on “Add a user to the admin group via command line 3.0”

  1. oaulo Says:

    January 19, 2010 at 7:31 am

    We’ve been making like this || dseditgroup -o edit -n . -a diradmingroup -t group admin || to nest a directory group in the local admin group. Handy for managing devolved admin access. Apply the change to a pool of computers, add and remove users in the directory group to change access rights.

    Reply
    • viggen9 Says:

      February 22, 2010 at 12:31 pm

      oaulo, can you give more details on adding OD Groups to the clients’ local admin group? I am running into syntax issues.

      Reply
      • viggen9 Says:

        February 22, 2010 at 1:53 pm

        Oh, nevermind, I see the new entry for nested group now listed by its GID. Does the “-n .” indicate to search all available directories (local and network)?

  2. paulo Says:

    March 5, 2010 at 7:30 am

    @ viggen9 : ‘-n’ is for node – ie the directory you want to operate on. “-n . ” indicates the local directory. “-n /LDAPv3/ldap.yourco.com” would indicate your main DS.
    Nesting groups within a group is where it’s worthwhile persevering with dseditgroup over dscl. See the end of the dseditgroup man page for more examples.

    Reply
  3. Carl Says:

    June 8, 2010 at 12:25 pm

    Is there a way to make the currently logged in user, member of local admins without knowing/specifying the user name?

    Reply
    • GregN Says:

      June 12, 2010 at 5:03 pm

      A login hook could do it; the login hook gets the name of the user in $1. So within the login hook script, you’d do something like:

      /usr/sbin/dseditgroup -o edit -a “$1″ -t user admin

      Of course, this would have the effect of making every single user that every logged into the machine a local admin — is that really what you want; more importantly, is that wise?

      Reply
  4. Carl Says:

    June 13, 2010 at 4:31 am

    You are right, i do not want every user that logs in to the machine to be an admin.
    But i could as point out, make a loginhook that will do the the job and then in the script delete the hook and the script as the last thing.
    I think i am gonna give that a go, thank you!

    Reply
  5. Add a user to the admin group via command line 2.0 « Managing OS X Says:

    November 12, 2010 at 4:41 pm

    [...] Add a user to the admin group via command line 2.0 UPDATE: this post has been superseded by this: Version 3.0 [...]

    Reply
  6. boondoggle Says:

    January 11, 2011 at 7:42 pm

    So how would one create a script to create a group and add local users, except the admin, to the group?

    Would it be something like:

    #!/bin/bash
    sudo dseditgroup -o create -n . newnonadmingroup
    dscl -u apl . -append /Groups/newnonadmingroup GroupMembership

    ?

    only that means I’d have to put in the username each time I ran the script. How could a person find out or assign a group ID to non-admins. Seems like adding a group ID to newnonadmin group would be the way to go but I can’t figure out how to do it.

    Reply
  7. Jacob Says:

    April 6, 2012 at 4:54 am

    Something that was useful for me was to have a group in the directory which the mac was bound to, and have all users in that group be admins. Easier to manage that way.

    /usr/sbin/dseditgroup -o edit -a NetworkAdmins -t group admin

    Reply
    • Ewing Fox Says:

      January 14, 2013 at 9:05 am

      I am trying to use this to add my teachers as local admins. I can add them individually, but because of the size of my school, it is not easily manageable. I created a group “Teachers” with GID 1024. I launched an elevated prompt:

      desitgroup -o edit -a Teachers -t group admin

      and the result was “No record found”

      Any hints here?

      Reply
  8. OS X: Add local admin rights to an (Active) Directory user | bogner.sh Says:

    July 18, 2012 at 11:42 am

    [...] information can be found at the “Managing OS X Blog” This entry was posted in Uncategorized by florian. Bookmark the [...]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 143 other followers

%d bloggers like this: