2

My small office environment hasn't had any IT staff before I was hired. They use a various assortment of Mac OS X computers and I've been slowly converting them to a network-based OS X Server environment. All the computers were originally set up with just the one administrator account with a blank password. Files were put just about everywhere except the Documents folder. Nobody had user accounts. It was... messy.

Now that I've started converting them to networked Standard User accounts, my boss is complaining that everyone needs access to change things in System Preferences like Date & Time or Network (we're having some DHCP hiccups). I've tried to explain that under normal circumstances they shouldn't need to access that, but she's been very insistent about it.

Is there any way, either through Workgroup Manager or hacks, to allow Standard users admin access to individual preference panes? So far the least cringe-worthy thing I can think of is to make them local admins of their computers.

EEAA
  • 109,363
  • 18
  • 175
  • 245
Tim
  • 123
  • 1
  • 5

2 Answers2

2

This can be done by editing the file /etc/authorization, which controls who's allowed to do what in the GUI in OS X. It's an XML property list file, so you can edit it with either a text editor or Apple's Property List Editor (part of the developer tools). Warning: if you get the edit wrong, it may render the system effectively unusable; test this on Mac you wouldn't mind wiping and reinstalling if necessary. Anyway, you should find a section (under the "rights" main section) that looks like this:

<key>system.preferences</key>
<dict>
    <key>allow-root</key>
    <true/>
    <key>class</key>
    <string>user</string>
    <key>comment</key>
    <string>Checked by the Admin framework when making changes to certain System Preferences.</string>
    <key>group</key>
    <string>admin</string>
    <key>shared</key>
    <true/>
</dict>

You can change the group from admin to whatever you want. For example, you could create a group called semiadmin, add all regular users to it, and then edit the authorization file to list:

    <key>group</key>
    <string>semiadmin</string>

Note that this won't apply to all system preferences. The Accessibility, Accounts, Parental Controls, and Security panes each have their own entries; if want to expand access to those preferences, edit those sections similarly. Also, each computer follows its own authorization file, so you'll need to install this modified file on each client computer (after fully testing it, of course).

Gordon Davisson
  • 11,216
  • 4
  • 28
  • 33
  • This sounds like what I'm after, thanks! Is that group limited to local groups or can it be a network group? – Tim Oct 06 '10 at 11:15
  • I haven't tested this, but I'd expect it to work with network groups. But note that if you have a local group with the same name as the network group, the local group is likely to take precedence. – Gordon Davisson Oct 06 '10 at 18:41
0

I would setup sudo to allow just those commands. You can even set them by group.

Just run the command "visudo" to edit the sudo config.

http://osxfaq.com/man/8/visudo.ws

The Digital Ninja
  • 764
  • 4
  • 10
  • 25