Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Any way to enable Directory users as ARD administrators?


On May 12, 2006, at 8:21 AM, Doug Stewart wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Howdy all,
Due to some corporate policy considerations, we have to change the local
admin accounts' passwords on all boxes (Windows, Mac, Linux, Solaris,
etc.) on a monthly basis.  This means that, every 30 days, I will have
to go through each entry in my ARD client and manually update the
passwords by hand.  Is it possible, instead, to grant my Open Directory
domain account (which is flagged as a diradmin) the ability to connect
to ARD instances?  When you open the settings in the control panel, I am
only presented with local users.


Absolutely. That's what we're doing in my shop, so I know it works from personal experience. You can do this a couple of ways:

First way (if your Macs are always able to contact your OD server):
1. Set up a group called "ard_admin" on your OD server (this assumes that the machines you want to manage are bound to your OD server for authentication.)
2. Add the user(s) you want to be able to control your Macs through ARD to the ard_admin group.
3. Set the clients to use directory authorization by using the Change Client Settings feature or make a custom installer.

Second way (if your Macs are sometimes unable to contact your OD server, like a remote user):
1. Set up a mobile user on your Macs, so that they have a local account and home folder but look to the OD server for the latest password.
2. Run the following command on your Macs: sudo niutil -createprop . /users/username naprivs -1073741569

You can also use the kickstart command to do the same thing as the niutil command, with the command there being "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users username -privs -all -restart -agent -menu" (no quotes.)

Note: always use the shortname of the user who you want to be the ARD administrator in place of "username".


Tangentially, is there a decent (Automator, perhaps?) way of going
through my ARD client list and updating all of the passwords in one fell
swoop?



- --
- ----------
Doug Stewart
Systems Administrator/Web Applications Developer
Lockheed Martin Advanced Technology Labs
email@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org

iD8DBQFEZH3mN50Q8DVvcvkRApvKAJ98iVF4aFDH06xhBgJFVUpPkfAxKACbBY9h
OkifN7FgX2Pl8bzL4d17q34=
=pRPf
-----END PGP SIGNATURE-----
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Remote-desktop mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/remote-desktop/email@hidden

This email sent to email@hidden


---


Rich Trouton (Contractor)

LAN Support

email@hidden

-----------------------------------------------------------

National Human Genome Research Institute

National Institutes of Health — Bethesda, MD


Office number:

(240) 643-7816


NHGRI LAN Support number:

(301) 402-7408


The best way to get in touch with me is through email.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Remote-desktop mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/remote-desktop/email@hidden

This email sent to email@hidden
References: 
 >Any way to enable Directory users as ARD administrators? (From: Doug Stewart <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.