I'm looking for a way to add an Active Directory user to a Mac and let them administrate the machine, without making more than just that user an administrator.

Right now, I'm using Directory Utility to add an AD group, we'll call it Domain Devs, to the Allow Administration By: list. This would allow Bob, Nancy, Paul, and Bill to administer the computer. But this machine is supposed to go to Bob, so I only want him to administrate it. I then have to go to the login options and tell it to only allow Bob to log into the computer.

So while Bob, Nancy, Paul and Bill can administer it, only Bob can log in.

There is a concern that other users will be able to log into or gain access to the machine through another method of login or security breach and have administration rights to the system.

We're looking for a way to do something similar to what happens in Windows when you take a user in AD and add that specific user to the local Administrators group, so Bob could be added to that specific computer and have admin rights and any other domain user can log in and have just limited user rights.

Is there a way to do this, add a specific AD user to the Mac as an administrator without using a group in AD with just that user in it?


Does this command not work for you?

dseditgroup -o edit -n /Local/Default -u localadmin -p -a networkuser -t user admin

details: Mac OS X: Allowing administration by network accounts