On 10/03/2007, at 3:36 AM, Tina Siegenthaler wrote:
OK, trying to be a bit more precise...
We are two people at our IT department. Both of us need
administrator rights on our (managed) clients, but we are not
supposed to use the same single local admin account for the both
of us (it should be possible to track down who was actually logged
in at a certain time). This means we need *two* admin accounts on
each client. Instead of creating those two admins locally on each
client, we'd like to create two admins on the OD server, which we
can use to administer all the clients that are bound to this OD
server.This would also make it MUCH easier to change the password
from time to time... just changing it on the OD instead of
changing on 100 or more clients...
I know I can check the box "allow user to administer the server"
but I understand this means what it says, admin rights on
the*server*, not on the client(s) - am I wrong??
If you create a group in OD for the purposes of client admin, you
can nest that group inside the local admin group in NetInfo on your
clients.
Have a look at the "generateduid" property of your OD group, it
will look something like:
2FAC47CF-50F9-4DF2-994D-AAF42C9B035D
If you then create the property "nestedgroups" in the "admin" group
in NetInfo, and put this UUID there, your OD users in that group
will effectively be admins of the local machines in terms of
command line stuff like being able to sudo.
This gives the advantage of being able to move OD users in and out
of the OD "clientadmin" group without having to touch the config on
the clients.
In terms of GUI things they'll need to be members of the OD "admin"
group, which is done by checking "administer this directory domain'
in Workgroup Manager.
