Map zone groups to local group


Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone group to local group


Specify one or more zone groups to map to a Mac local group on the local computer. Members of the zone groups you specify here will be given the privileges of the local group on the local computer; for example,:

  • If you map to the _lpadmin and _lpoperator local groups, members of the zone group can manage printer settings on the local computer.
  • If you map to the admin local group, members of the zone group obtain administrator privileges on the local computer.

Note:   To obtain administrator privileges for a zone group, you can either map to the local admin group with this policy, or use the Map zone groups to local admin group policy. However, do not do both as the results are unpredictable.

Be certain to create a zone group in Access Manager (or adedit) and add users who you want to have administrative privileges on managed Mac computers.

Note:   If the local computers is connected to the domain through Auto Zone, you cannot create a zone group because there are no zones. However, all Active Directory groups are valid for the joined computer, so you can map any group to the local admin group, but you need to know the group’s UNIX name, which you can retrieve on the local computer, by using the adquery command, as follows

[root]#adquery group -n

To set this policy

  1. Open the policy and select Enabled.
  2. Click Add.
  3. Enter the name of a local group and of a zone group in the respective boxes (or the UNIX group name if connected through Auto Zone), then click OK.

    You can repeat this step multiple times to map the zone group to more than one local group.