Mac OS X: Allowing administration by network accounts

These are some ways you can specify which network users or groups are allowed to have administrator access.

System Preferences

You can add a network user to the local admin group using System Preferences.

1. Log in with a network user account
2. From the Apple menu, choose System Preferences
3. From the View menu, choose Accounts
4. Select the "Allow user to administer this computer" checkbox
5. Enter a current administrator's name and password when prompted
    

Directory Utility (Active Directory)

You can add Active Directory (AD) groups to the local admin group using Directory Utility. Note: Only Active Directory groups may be added using this method.

For Mac OS X v10.6, follow these steps:

1. From the Apple menu, choose System Preferences
2. From the View menu, choose Accounts
3. Click Login Options.
4. Click the Edit button by "Network Account Server".
5. Click the Open Directory Utility button to open Directory Utility (/System/Library/CoreServices/Directory Utility).
6. Click the lock in the lower left corner to authenticate.
7. Under the Services tab, double-click Active Directory to edit it.
8. Click the disclosure triangle next to "Show Advanced Options" to reveal its contents.
9. Under the Administrative tab, click the "Allow administration by" checkbox to enable it.
10. Click the plus button (+) to add new entries to the list.
11. Click the OK button to save the changes.
     

Command line (advanced)

If you are familiar with using Terminal and the command line, you can add network users or groups to the local admin group using the dseditgroup command in Terminal. The following example adds a network user to the admin group:

dseditgroup -o edit -n /Local/Default -u localadmin -p -a networkuser -t user admin

...where "localadmin" is the name of a local administrator account on the workstation (you will be prompted for this account password), and "networkuser" is the short name of the network user.