I really like the nested group method. It allows me to add casual
lab admin staff such that they have appropriate rights over lab
machines, and I can easily update the group without having to touch
my actual images.
So after a chat with Joel I've realised that firstly I have a bug in
my deployment startup scripts, and secondly that my description was
incorrect.
Nesting an OD group inside the NetInfo group "admin' gives you full
admin rights, including GUI authorization dialogs.
The one thing it doesn't let you do is 'sudo', to do that you'd need
to modify the /etc/sudoers file.
You don't need to be a member of the OD admin group at all.
However, if you're a member of the OD admin group (directly, not via
another layer of nested groups), then you *can* sudo on the local
machines. You shouldn't give users these rights just so they can sudo
however. If that's all you need, then modify /etc/sudoers.
This is different to 10.3, where if you were a member of the OD admin
group you automatically had local admin privileges.
We're planning to do an afp548.com article on removing local admin
accounts altogether, which essentially combines the above info with
existing stuff on the ard_admin group in OD, like in Andrina's
article: http://www.afp548.com/article.php?story=20050811170505429
