Add a user to the admin group via command line 3.0

One of the more visited articles on this site is several years old – this one on adding a user to the local admin group.

I thought I should update that information since it is somewhat out of date. Apple’s preferred and recommended way to add a user to the local admin group is to use dseditgroup, like so:

/usr/sbin/dseditgroup -o edit -a gneagle -t user admin

This -a(dds) “gneagle”, which is an object of -t(ype) “user”, to the group “admin”.

To delete a user from the local admin group:

/usr/sbin/dseditgroup -o edit -d gneagle -t user admin

You can also use dseditgroup on a network directory service if you have admin credentials for the directory server:

dseditgroup -o edit -n /LDAPv3/ -u dsadminusername -p -a gneagle -t user group_on_network_directory

This will prompt you for the dsadminusername’s password interactively. You can include the dsadminuser’s password like so:

dseditgroup -o edit -n /LDAPv3/ -u dsadminusername -P dsadminuserpassword -a gneagle -t user group_on_network_directory

dseditgroup can do many other things, like create and delete groups, add nested groups to an existing group, and check membership of a given user for a given group.

man dseditgroup for more info.

Add a user to the admin group via command line 3.0

16 thoughts on “Add a user to the admin group via command line 3.0

  1. oaulo says:

    We’ve been making like this || dseditgroup -o edit -n . -a diradmingroup -t group admin || to nest a directory group in the local admin group. Handy for managing devolved admin access. Apply the change to a pool of computers, add and remove users in the directory group to change access rights.

    1. viggen9 says:

      oaulo, can you give more details on adding OD Groups to the clients’ local admin group? I am running into syntax issues.

      1. viggen9 says:

        Oh, nevermind, I see the new entry for nested group now listed by its GID. Does the “-n .” indicate to search all available directories (local and network)?

  2. paulo says:

    @ viggen9 : ‘-n’ is for node – ie the directory you want to operate on. “-n . ” indicates the local directory. “-n /LDAPv3/” would indicate your main DS.
    Nesting groups within a group is where it’s worthwhile persevering with dseditgroup over dscl. See the end of the dseditgroup man page for more examples.

  3. Carl says:

    Is there a way to make the currently logged in user, member of local admins without knowing/specifying the user name?

    1. A login hook could do it; the login hook gets the name of the user in $1. So within the login hook script, you’d do something like:

      /usr/sbin/dseditgroup -o edit -a “$1” -t user admin

      Of course, this would have the effect of making every single user that every logged into the machine a local admin — is that really what you want; more importantly, is that wise?

  4. Carl says:

    You are right, i do not want every user that logs in to the machine to be an admin.
    But i could as point out, make a loginhook that will do the the job and then in the script delete the hook and the script as the last thing.
    I think i am gonna give that a go, thank you!

  5. boondoggle says:

    So how would one create a script to create a group and add local users, except the admin, to the group?

    Would it be something like:

    sudo dseditgroup -o create -n . newnonadmingroup
    dscl -u apl . -append /Groups/newnonadmingroup GroupMembership


    only that means I’d have to put in the username each time I ran the script. How could a person find out or assign a group ID to non-admins. Seems like adding a group ID to newnonadmin group would be the way to go but I can’t figure out how to do it.

  6. Jacob says:

    Something that was useful for me was to have a group in the directory which the mac was bound to, and have all users in that group be admins. Easier to manage that way.

    /usr/sbin/dseditgroup -o edit -a NetworkAdmins -t group admin

    1. I am trying to use this to add my teachers as local admins. I can add them individually, but because of the size of my school, it is not easily manageable. I created a group “Teachers” with GID 1024. I launched an elevated prompt:

      desitgroup -o edit -a Teachers -t group admin

      and the result was “No record found”

      Any hints here?

  7. Phillip Boushy says:

    I’m writing a script to add users to a group based on a csv. I need to know if there was an error. I a script how can I determine if there was an error, usually I would use if [[ $(command) -eq 0 ]]. But that doesn’t appear to work.

  8. Matt Krohn says:

    I’m migrating users over from OpenLDAP, and one of them (my boss, no less) was unable to access her samba shares. is an inherited group, and not one you can set manually through the command line. This command saved my bacon, though, so thanks!

    /usr/sbin/dseditgroup -o edit -a -t user

Comments are closed.