How to allow Standard users on Mac OS X to change System Preferences like Network or Date & Time

mac-osxmac-osx-server

My small office environment hasn't had any IT staff before I was hired. They use a various assortment of Mac OS X computers and I've been slowly converting them to a network-based OS X Server environment. All the computers were originally set up with just the one administrator account with a blank password. Files were put just about everywhere except the Documents folder. Nobody had user accounts. It was… messy.

Now that I've started converting them to networked Standard User accounts, my boss is complaining that everyone needs access to change things in System Preferences like Date & Time or Network (we're having some DHCP hiccups). I've tried to explain that under normal circumstances they shouldn't need to access that, but she's been very insistent about it.

Is there any way, either through Workgroup Manager or hacks, to allow Standard users admin access to individual preference panes? So far the least cringe-worthy thing I can think of is to make them local admins of their computers.

Best Answer

This can be done by editing the file /etc/authorization, which controls who's allowed to do what in the GUI in OS X. It's an XML property list file, so you can edit it with either a text editor or Apple's Property List Editor (part of the developer tools). Warning: if you get the edit wrong, it may render the system effectively unusable; test this on Mac you wouldn't mind wiping and reinstalling if necessary. Anyway, you should find a section (under the "rights" main section) that looks like this:

<key>system.preferences</key>
<dict>
    <key>allow-root</key>
    <true/>
    <key>class</key>
    <string>user</string>
    <key>comment</key>
    <string>Checked by the Admin framework when making changes to certain System Preferences.</string>
    <key>group</key>
    <string>admin</string>
    <key>shared</key>
    <true/>
</dict>

You can change the group from admin to whatever you want. For example, you could create a group called semiadmin, add all regular users to it, and then edit the authorization file to list:

    <key>group</key>
    <string>semiadmin</string>

Note that this won't apply to all system preferences. The Accessibility, Accounts, Parental Controls, and Security panes each have their own entries; if want to expand access to those preferences, edit those sections similarly. Also, each computer follows its own authorization file, so you'll need to install this modified file on each client computer (after fully testing it, of course).

Related Solutions

Ssh – How to change sshd port on Mac OS X

Every previous answer is working (as google suggest too), but they are dirty and inelegant.

The right way to change the listening port for a launchd handled service on Mac OS X is to make the changes the dedicated keys available in ssh.plist

So the solution is as simple as to use the port number instead of the service name.

An excerpt from my edited /System/Library/LaunchDaemons/ssh.plist:

    <key>Sockets</key>
    <dict>
            <key>Listeners</key>
            <dict>
                    <key>SockServiceName</key>
                    <string>22022</string>
                    <key>SockFamily</key>
                    <string>IPv4</string>
                    <key>Bonjour</key>
                    <array>
                            <string>22022</string>
                    </array>
            </dict>
    </dict>

Note:

To be able to edit this file on El Capitan, Sierra and probably future versions as well, you need to disable SIP (System Integrity Protection). See How do I disable System Integrity Protection (SIP).

For Catalina, even after disabling SIP, the volumes are unwritable. Use sudo mount -uw / in order to enable writing to /System. Do the change then restore SIP and reboot.

The above edit will also force sshd to listen only over IPV4.

After making any changes to ssh.plist, the file must be reloaded as follows:

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

Note that using launchctl stop ... and launchctl start ... will NOT reload this file.

The man page with more information can be found by typing man launchd.plist or using this link.

Mac OS X users in an Active Directory based network

I have a few Xserves running as file servers in an Active Directory environment. The golden triangle approach has worked great for me: http://www.bombich.com/mactips/activedir.html. I set mine up following those directions exactly, and here's my experiences:

I do get a password expiration notification when I log in as an AD user. I would say pay special attention to the kerberos part of the Golden Triangle approach. The key most people miss is sudo dsconfigad -enableSSO.
I think the kerberos part above would also fix this. Works both ways for me.
What I've done a few times is use Boot Camp to create a physical Windows environment, join that to AD, then let them run it via VMware Fusion from OS X if they wish.
I have a Windows server, and feel your .DS_Store pain. However, this command helps: defaults write com.apple.desktopservices DSDontWriteNetworkStores true
At the top window of Directory.app, you can select "People" to filter out the junk.

Active Directory provides the username and password, as well as some group memberships and user policies. AD only targets Windows users. I don't have admin rights on Active Directory. I have to get permission to join my Xserves to the domain. I have no ability to modify the AD schema at all. If I wanted to extend certain OS X specific policies to my Mac users, I can do so via my Open Directory master. The Bombich document explains how.

Hope that helps some!

Best Answer

Related Solutions

Ssh – How to change sshd port on Mac OS X

Mac OS X users in an Active Directory based network

Related Topic