Apple’s latest offering, OS 10.5 “Leopard” offers GUI-based integration and account management for Microsoft Active Directory that is fairly full-featured and complete. However, as tends to be the case when it comes to enterprise-level account management, Apple dropped the ball and forgot to include a very important feature: the ability to promote a domain user to local administrative status without them having to log in. You can add groups through the Directory Utility GUI, but not individual users. Why would this be important? Well, at least for me, it’s because a lot of the users I support aren’t there when I’m setting up their computer, but they’ll need to administer it down the road. Getting their password in advance is a huge security no-no in an environment where pretty much everyone has sensitive data on their machine, so how can you give a user local admin privileges before their home folder is even created? Terminal, obviously.
- Launch Terminal from Applications->Utilities->Terminal.
- Type the following command, substituting the name of your domain user in the appropriate field, surrounded by quotation marks:
sudo dscl . -append /Groups/admin GroupMembership "new_user"
You’ll be prompted for your password, then you should see the command prompt again. If you’re not sure whether or not it worked, try promoting a domain account for which you have the password the same way and logging in. Go into System Preferences and try to unlock something. If your name appears in the username field, you’re an admin!
A situation came up at work recently where one of our users wanted to make sure that each and every person who logged onto a particular machine would have the same printer set up as their default. Various previous attempts to do this had failed, since there doesn’t seem to be a command-line switch for globally changing the default printer in Windows XP. I floated the problem to a co-worker, who suggested putting a simple batch file in place to run on every user’s Logon. This ended up working beautifully, as follows:
- Create a batch file by going to My Computer, choose the root file path of the hard drive (usually C:), right-click on some empty space and select ‘New Text Document.’
- Next, open your new text document and type in one of the following lines:
- If you have a networked printer, type rundll32 printui.dll,PrintUIEntry /y /n\\%printername%
- If you have a local printer, type rundll32 printui.dll,PrintUIEntry /y /n”%localprintername%”
- Choose ‘Save As’ in Notepad and change the type of file from Text (.txt) to ‘All Files.’ Name it something like ‘printer.bat’ (the ‘printer part is not important, the .bat part is) and save it to the C: drive.
- Go to ‘Start,’ choose ‘Run,’ and type ‘gpedit.msc’ to launch the Management Console.
- Under ‘User Configuration,’ ‘Windows Settings,’ you will find ‘Scripts (Logon / Logoff).’ Double-click on ‘Logon’ in the main window (to the right) and choose ‘Add’ to add a new script.
- Browse for your batch file (should be on C:). You don’t need any additional parameters. At this point, every user that logs in will have their default printer reset to the one you want.
default printer, printer, windows xp, windows, printers, windows printer, default, command-line printer, printer control, global printer control, global default printer, management console, notepad, logon script, logon, user