Tagged OS X

Make an Active Directory user a local administrator in Leopard

Leopard LogoApple’s latest offering, OS 10.5 “Leopard” offers GUI-based integration and account management for Microsoft Active Directory that is fairly full-featured and complete. However, as tends to be the case when it comes to enterprise-level account management, Apple dropped the ball and forgot to include a very important feature: the ability to promote a domain user to local administrative status without them having to log in. You can add groups through the Directory Utility GUI, but not individual users. Why would this be important? Well, at least for me, it’s because a lot of the users I support aren’t there when I’m setting up their computer, but they’ll need to administer it down the road. Getting their password in advance is a huge security no-no in an environment where pretty much everyone has sensitive data on their machine, so how can you give a user local admin privileges before their home folder is even created? Terminal, obviously.

  1. Launch Terminal from Applications->Utilities->Terminal.
  2. Type the following command, substituting the name of your domain user in the appropriate field, surrounded by quotation marks:
    sudo dscl . -append /Groups/admin GroupMembership "new_user"

You’ll be prompted for your password, then you should see the command prompt again. If you’re not sure whether or not it worked, try promoting a domain account for which you have the password the same way and logging in. Go into System Preferences and try to unlock something. If your name appears in the username field, you’re an admin!

Giving the short name some more lovin’

So, it’s technically possible to change a short name in OS X using the Apple-endorsed procedure listed on Apple’s site, but that method involves doing some really horrible things to your computer, since you’re basically using the BSD subsystem to trick OS X into thinking you’re the same person you were while actually creating a ‘new’ account.
Poking around on the web yielded this nifty tool, however, that seems to make renaming your account a snap. You can download it here, then check out the documentation at this website.
It doesn’t seem to work any differently than would the sketchy and complicated solution offered by the nice folks at Apple, but it does it automatically, so you can screw your computer up at the speed its processor runs, not just as fast as you can type. Good luck!