Adding your Desktop Admin Groups to One Global Group for Administrators

One idea that has come up and is really handy, is creating a general support user so that you can login to machines and have Administrative rights to that machine. We have many groups, and each group has a Desktop Admin group that we add people to who need Administrative access. But we also use it to remove people that seem to abuse it.

Instead of manually adding the groups one by one, you can use dsquery and dsmod. You simple do a query to find the groups that you’ve created. In this example we’re looking for anything that ends in “Desktop Admin”:

dsquery group domainroot -name “*Desktop Admin”

Which returns all of the groups we need. Next step is to take the Global Desktop Admin group and add it to all of these groups. This is simple with dsmod:

dsquery group domainroot -name “*Desktop Admin” | dsmod group -addmbr “CN=Global Desktop Admin,OU=Network Admin,OU=Groups,DC=DOMAIN,DC=LAN”

Voila! Done.

Did you like this article?

You May Also Like

Exim4 and PHP and PHP-CGI mail() function using incorrect From: and applying Sender: headers.

If you're using Exim4 and PHP as a module or as a CGI with suexec. You may have noticed some issues with your mail. Specifically you would have noticed that either the "From:" header was using "[email protected]" or "[email protected] name, its also possibly that you had an additional header called "Sender:". There are two things you need to do to fix this. You first need to make sure that your "php.ini" has the following value "sendmail_path = /usr/sbin/sendmail -t -i". Which is the default, double check this variable as it might be set to something else.
Read More