One of the more visited articles on this site is several years old – this one on adding a user to the local admin group.
I thought I should update that information since it is somewhat out of date. Apple’s preferred and recommended way to add a user to the local admin group is to use dseditgroup
, like so:
/usr/sbin/dseditgroup -o edit -a gneagle -t user admin
This -a(dds) “gneagle”, which is an object of -t(ype) “user”, to the group “admin”.
To delete a user from the local admin group:
/usr/sbin/dseditgroup -o edit -d gneagle -t user admin
You can also use dseditgroup
on a network directory service if you have admin credentials for the directory server:
dseditgroup -o edit -n /LDAPv3/ldap.company.com -u dsadminusername -p -a gneagle -t user group_on_network_directory
This will prompt you for the dsadminusername’s password interactively. You can include the dsadminuser’s password like so:
dseditgroup -o edit -n /LDAPv3/ldap.company.com -u dsadminusername -P dsadminuserpassword -a gneagle -t user group_on_network_directory
dseditgroup
can do many other things, like create and delete groups, add nested groups to an existing group, and check membership of a given user for a given group.
man dseditgroup
for more info.
We’ve been making like this || dseditgroup -o edit -n . -a diradmingroup -t group admin || to nest a directory group in the local admin group. Handy for managing devolved admin access. Apply the change to a pool of computers, add and remove users in the directory group to change access rights.
oaulo, can you give more details on adding OD Groups to the clients’ local admin group? I am running into syntax issues.
Oh, nevermind, I see the new entry for nested group now listed by its GID. Does the “-n .” indicate to search all available directories (local and network)?
@ viggen9 : ‘-n’ is for node – ie the directory you want to operate on. “-n . ” indicates the local directory. “-n /LDAPv3/ldap.yourco.com” would indicate your main DS.
Nesting groups within a group is where it’s worthwhile persevering with dseditgroup over dscl. See the end of the dseditgroup man page for more examples.
Is there a way to make the currently logged in user, member of local admins without knowing/specifying the user name?
A login hook could do it; the login hook gets the name of the user in $1. So within the login hook script, you’d do something like:
/usr/sbin/dseditgroup -o edit -a “$1” -t user admin
Of course, this would have the effect of making every single user that every logged into the machine a local admin — is that really what you want; more importantly, is that wise?
You are right, i do not want every user that logs in to the machine to be an admin.
But i could as point out, make a loginhook that will do the the job and then in the script delete the hook and the script as the last thing.
I think i am gonna give that a go, thank you!
[…] Add a user to the admin group via command line 2.0 UPDATE: this post has been superseded by this: Version 3.0 […]
So how would one create a script to create a group and add local users, except the admin, to the group?
Would it be something like:
#!/bin/bash
sudo dseditgroup -o create -n . newnonadmingroup
dscl -u apl . -append /Groups/newnonadmingroup GroupMembership
?
only that means I’d have to put in the username each time I ran the script. How could a person find out or assign a group ID to non-admins. Seems like adding a group ID to newnonadmin group would be the way to go but I can’t figure out how to do it.
Something that was useful for me was to have a group in the directory which the mac was bound to, and have all users in that group be admins. Easier to manage that way.
/usr/sbin/dseditgroup -o edit -a NetworkAdmins -t group admin
I am trying to use this to add my teachers as local admins. I can add them individually, but because of the size of my school, it is not easily manageable. I created a group “Teachers” with GID 1024. I launched an elevated prompt:
desitgroup -o edit -a Teachers -t group admin
and the result was “No record found”
Any hints here?
[…] information can be found at the “Managing OS X Blog” This entry was posted in Uncategorized by florian. Bookmark the […]
[…] https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/ […]
THANKS! I can’t wait to try this.
I’m writing a script to add users to a group based on a csv. I need to know if there was an error. I a script how can I determine if there was an error, usually I would use if [[ $(command) -eq 0 ]]. But that doesn’t appear to work.
I’m migrating users over from OpenLDAP, and one of them (my boss, no less) was unable to access her samba shares. com.apple.access_smb is an inherited group, and not one you can set manually through the command line. This command saved my bacon, though, so thanks!
/usr/sbin/dseditgroup -o edit -a -t user com.apple.access_smb