Add a user to the admin group via command line 3.0

One of the more visited articles on this site is several years old – this one on adding a user to the local admin group.

I thought I should update that information since it is somewhat out of date. Apple’s preferred and recommended way to add a user to the local admin group is to use dseditgroup, like so:


/usr/sbin/dseditgroup -o edit -a gneagle -t user admin

This -a(dds) “gneagle”, which is an object of -t(ype) “user”, to the group “admin”.

To delete a user from the local admin group:


/usr/sbin/dseditgroup -o edit -d gneagle -t user admin

You can also use dseditgroup on a network directory service if you have admin credentials for the directory server:


dseditgroup -o edit -n /LDAPv3/ldap.company.com -u dsadminusername -p -a gneagle -t user group_on_network_directory

This will prompt you for the dsadminusername’s password interactively. You can include the dsadminuser’s password like so:


dseditgroup -o edit -n /LDAPv3/ldap.company.com -u dsadminusername -P dsadminuserpassword -a gneagle -t user group_on_network_directory

dseditgroup can do many other things, like create and delete groups, add nested groups to an existing group, and check membership of a given user for a given group.

man dseditgroup for more info.

Advertisements
Add a user to the admin group via command line 3.0

16 thoughts on “Add a user to the admin group via command line 3.0

  1. oaulo says:

    We’ve been making like this || dseditgroup -o edit -n . -a diradmingroup -t group admin || to nest a directory group in the local admin group. Handy for managing devolved admin access. Apply the change to a pool of computers, add and remove users in the directory group to change access rights.

    1. viggen9 says:

      oaulo, can you give more details on adding OD Groups to the clients’ local admin group? I am running into syntax issues.

      1. viggen9 says:

        Oh, nevermind, I see the new entry for nested group now listed by its GID. Does the “-n .” indicate to search all available directories (local and network)?

  2. paulo says:

    @ viggen9 : ‘-n’ is for node – ie the directory you want to operate on. “-n . ” indicates the local directory. “-n /LDAPv3/ldap.yourco.com” would indicate your main DS.
    Nesting groups within a group is where it’s worthwhile persevering with dseditgroup over dscl. See the end of the dseditgroup man page for more examples.

  3. Carl says:

    Is there a way to make the currently logged in user, member of local admins without knowing/specifying the user name?

    1. A login hook could do it; the login hook gets the name of the user in $1. So within the login hook script, you’d do something like:

      /usr/sbin/dseditgroup -o edit -a “$1” -t user admin

      Of course, this would have the effect of making every single user that every logged into the machine a local admin — is that really what you want; more importantly, is that wise?

  4. Carl says:

    You are right, i do not want every user that logs in to the machine to be an admin.
    But i could as point out, make a loginhook that will do the the job and then in the script delete the hook and the script as the last thing.
    I think i am gonna give that a go, thank you!

  5. boondoggle says:

    So how would one create a script to create a group and add local users, except the admin, to the group?

    Would it be something like:

    #!/bin/bash
    sudo dseditgroup -o create -n . newnonadmingroup
    dscl -u apl . -append /Groups/newnonadmingroup GroupMembership

    ?

    only that means I’d have to put in the username each time I ran the script. How could a person find out or assign a group ID to non-admins. Seems like adding a group ID to newnonadmin group would be the way to go but I can’t figure out how to do it.

  6. Jacob says:

    Something that was useful for me was to have a group in the directory which the mac was bound to, and have all users in that group be admins. Easier to manage that way.

    /usr/sbin/dseditgroup -o edit -a NetworkAdmins -t group admin

    1. I am trying to use this to add my teachers as local admins. I can add them individually, but because of the size of my school, it is not easily manageable. I created a group “Teachers” with GID 1024. I launched an elevated prompt:

      desitgroup -o edit -a Teachers -t group admin

      and the result was “No record found”

      Any hints here?

  7. Phillip Boushy says:

    I’m writing a script to add users to a group based on a csv. I need to know if there was an error. I a script how can I determine if there was an error, usually I would use if [[ $(command) -eq 0 ]]. But that doesn’t appear to work.

  8. Matt Krohn says:

    I’m migrating users over from OpenLDAP, and one of them (my boss, no less) was unable to access her samba shares. com.apple.access_smb is an inherited group, and not one you can set manually through the command line. This command saved my bacon, though, so thanks!

    /usr/sbin/dseditgroup -o edit -a -t user com.apple.access_smb

Comments are closed.