Map zone groups to local admin group


Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone group to local admin group


Specify one or more zone groups to map to the admin group on the local computer. Members of the groups you specify here have administrative privileges on the local computer, including:

  • The use of sudo command in a shell
  • The ability to unlock and make changes to System Preferences.

Be certain to create a zone group in Access Manager (or adedit) and add users who you want to have administrative privileges on managed Mac computers.

Note:   If the local computer is connected to the domain through Auto Zone, you cannot create a zone group because there are no zones. However, all Active Directory groups are valid for the joined computer, so you can map any group to the local admin group, but you need to know the group’s UNIX name, which you can retrieve on the local computer by using the adquery command, as shown in the following example.

[root]#adquery group -n 

To set this policy

  1. Open the policy and select Enabled.
  2. Click Add.
  3. Enter the name of a zone group in the box (or the UNIX group name if connected through Auto Zone). Then click OK.