Setting up local and remote administrative privileges
Centrify provides two group policies to set administrative privileges on the local computer:
- Map zone groups to local admin groups allows you to specify one or more zone groups to map to the local admin group. Members of the specified group are given administrative privileges on Mac computers managed by Access Manager.
- Enable administrator access groups allows users in the zone group ard_admin to access a computer via Apple Remote Desktop with full privileges.
This section shows you how to use these policies together to enable local and remote administrative access to Mac computers.
To enable remote and local access for a group:
- Create an Active Directory group, for example, My_Mac_Admins, and add users who you want to have administrative privileges.
- Create an Active Directory group that is a Domain Local Security group. For convenience, name it ard_admin.
- Add My_Mac_Admins as a member of ard_admin.
- Create a Centrify zone group, My_Mac_Admins and map it to the Active Directory group My_Mac_Admins.
Note: If the local computer is connected to the domain through Auto Zone, you cannot create a zone group because there are no zones. However, all Active Directory groups are valid for the joined computer, so you can map any group, such as My_Mac_Admins, to the local admin group, but you need to know the group’s UNIX name, which you can retrieve on the local computer, by using the
adquerycommand, as follows
[root]#adquery group -n
For example, the following shows an
adquerycommand and the name it returns:
[root]#adquery group -n |grep -i Mac_Admins
Create a zone group, ard_admin, and map it to the Active Directory group ard_admin.
Note: This zone group must be named ard_admin.
In the Group Policy Editor, edit the group policy for the domain, then click Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts > Map zone groups to local admin group.
Open the policy, select Enable, then click Add. Enter My_Mac_Admins (or the name retrieved from the
adquery -ncommand in Step 4), then click OK.
This step maps My_Mac_Admins to the admin group on the local computer and gives members of My_Mac_Admins all privileges.
Click Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > Remote Management > Enable administrator access groups.
Open the policy and select Enable.
This step allows members of ard_admin to access a computer via Apple Remote Desktop with full privileges. In Step 7, you effectively gave members of My_Mac_Admins administrative privileges. Since My_Mac_Admins includes members of ard_admin, members of ard_admin now have full local and remote administrative access.