Authenticate with AD credentials via ARD / SSH

#bash-scripts #microsoft #osx-sys-admin
Authenticate with AD credentials via ARD / SSH

Binding a Mac to an AD is fairly straight forward. Most Mac Admin’s worth their salt, know how this is done, many know how to do this via the command line. Once your Mac is bound, authentication is easy, local authentication that is. But what if you want to use your secure AD credentials over an SSH or Apple Remote Desktop connection? Well thats when things need a bit more configuration. Having recently deployed a series of servers with this configuration I figured I would share some of the commands needed to get this configured correctly.

The way to accomplish ARD AD authentication is by nesting an AD group inside a local group. You can create any group you want but for the sake of this article we will use ARD_ADMIN. I need to credit this article. The UNT Apple Managers group is a valuable and often looked over internet resource. I highly recommend checking out their group articles and tutorials.

Setup ARD Access

  • Create a Local ARD_ADMIN group using dscl in Terminal:
sudo dscl . -create /Groups/ARD_ADMIN
sudo dscl . -create /Groups/ARD_ADMIN PrimaryGroupID "530" 
sudo dscl . -create /Groups/ARD_ADMIN Password "*" 
sudo dscl . -create /Groups/ARD_ADMIN RealName "ARD_ADMIN" 
sudo dscl . -create /Groups/ARD_ADMIN GroupMembers "" 
sudo dscl . -create /Groups/ARD_ADMIN GroupMembership ""
  • Now you just need to create an active directory group that you will add to the ARD_ADMIN group. I already had such a group, I wanted to add the ARD group to the ARD_ADMIN group to add the group use this command
sudo dseditgroup -o edit -a "UNT\SomeGroupName" -t group ARD_ADMIN
  • Now that you have a local group with an AD group nested inside, you can give your group the necessary privileges via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -activate -configure -access -on -privs -all -users ARD_ADMIN -restart -agent
  • The last step in this process is to set the ARD client options to allow directory logins, again do this via the ARD Kickstart command:
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -clientopts -setdirlogins -dirlogins yes

Setup SSH Access

The process here is pretty straight forward. You would add a user to SSH, active directory or otherwise using the System Preferences, Sharing preference pane. But what if the admin account in question is hidden? Hidden accounts can be great for system admins who want to hide a backup or admin account on their workstation

However there is no way to add a user that is hidden, to get around this you can un-hide the user using this command

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO

Once done, you can add the user via System Preferences -> Sharing, the Remote Login option should have a spot for “Only these users”.

If you’ve properly joined the machine to the domain, you should be able to select the group from the “+” sign. To re-hide any formerly hidden user accounts run this command

sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

The Apple Way: How to allow administration of OS X from network-based accounts

Apple has its own write up on how to authenticate users via active directory credentials.

System Preferences

  1. You can add a network user to the local admin group using System Preferences.
  2. Log in with a network user account.
  3. From the Apple menu, choose System Preferences.
  4. From the View menu, choose Users & Groups.
  5. Select the “Allow user to administer this computer” checkbox.
  6. Enter a current administrator’s name and password when prompted.

Directory Utility (Active Directory)

  1. You can add Active Directory (AD) groups to the local admin group using Directory Utility. (Only Active Directory groups may be added using this method.)
  2. From the Apple menu, choose System Preferences.
  3. From the View menu, choose Users & Groups.
  4. Click Login Options.
  5. Click the Edit button by “Network Account Server”.
  6. Click the Open Directory Utility button to open Directory Utility (/System/Library/CoreServices/Directory Utility).
  7. Click the lock in the lower left corner to authenticate.
  8. Under the Services tab, double-click Active Directory to edit it.
  9. Click the disclosure triangle next to “Show Advanced Options” to reveal its contents.
  10. Under the Administrative tab, click the “Allow administration by” checkbox to enable it.
  11. Click the add button (+) to add new entries to the list.
  12. Click OK to save your changes.

Command line (advanced)

If you’re familiar with using Terminal and the command line, you can add network users or groups to the local admin group using the dseditgroup command in Terminal. The following example adds a network user to the admin group:

dseditgroup -o edit -n /Local/Default -u localadmin -p -a networkuser -t user admin

In this example, “localadmin” is the name of a local administrator account on the workstation (you’re prompted for this account password) and “networkuser” is the short name of the network user.

Conclusion

As you can tell there are many ways to accomplish administration, of your Mac via an active directory user account. Locally, via ARD / VNC and SSH. A few things to toss in, in the event that you run into some roadblocks with some of the terminal commands

To add a single Active Directory user to the local ard_admin group, do not use dscl to add or delete individual users. Use dseditgroup with the -a (to add) or -d (to delete) options.

sudo dseditgroup -o edit -a EUID -t user ard_admin

Remember the man pages for the Kickstart command are hidden. You can not just type “man kickstart” in terminal, this will not work. You can access this man page and others using the following commands:

man /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
man dscl
man dseditgroup

Active Directory authentication doesn’t always work so you want to be sure that you have a local admin account waiting in the wings in the event that something goes south with the AD bind to the Mac.

AI Usage Transparency Report

Pre-AI Era · Written before widespread use of generative AI tools

AI Signal Composition

Rep Tone Struct List Instr
Repetition: 65%
Tone: 52%
Structure: 59%
List: 11%
Instructional: 57%
Emoji: 0%

Score: 0.08 · Low AI Influence

Summary

Active Directory authentication on Macs can be configured using various methods, including ARD, SSH, and local admin accounts.

Related Posts

Deploy Firmware Passwords
bash-scripts munki
ard

Deploy Firmware Passwords

There's no doubt that the security of our computers these days is a very sensitive topic. I have helped several of my clients protect their Mac systems by setting firmware passwords. However, this process can be time-consuming and labor-intensive when dealing with large numbers of machines. But what if you have hundreds or thousands of computers you want to have a firmware password set on?

Read more
Enable Accessibility Apps via ARD
bash-scripts automator
ard

Enable Accessibility Apps via ARD

I am always looking for ways to use Automator to make my life easier. Its a great tool that offers some impressive capabilities, my favorite of course is the ability to record UI events and convert that into a workflow or even a stand-alone app that you can then deploy and run via ARD. This feature in particular has been a game-changer for me, allowing me to automate repetitive tasks with ease and streamline my workflow.

Read more
Roll your own DNS monitoring with DIG, Bash & CRON
bash-scripts
osx-sys-admin

Roll your own DNS monitoring with DIG, Bash & CRON

If your like me your always looking for ways to be notified of things changing in your IT Environment. There are many tools that you can use to help do this. StatusCake is a great free online tool for monitoring website and IP level uptime and downtime with baked in email notifications. Zeonoss and NAGIOS are great tools that can offer the same with SNMP Monitoring baked in as well.

Read more
Fontrestore, Apple’s fix for your fonts
bash-scripts cocoa-code
casper-munki

Fontrestore, Apple’s fix for your fonts

FontAgent Pro is a great font management solution for OS X. One of the best things about it is that its 100% cloud based. You can run the entire thing hosted in their cloud instance or you can run it on your own server. It's a great solution for font management, and does everything from managing your font licenses, users, libraries, and sets. The one problem however is the fact that when deploying a new font solution, you find yourself in a quandary over the right way to deploy it....

Read more
Protect your Mac!
bash-scripts product-reviews
leter-to-the-editor rants

Protect your Mac!

Apple computers recently have exploded in popularity, Apple stock is soaring and Apple computers are now and have been for some time prime real estate for sticky fingers. So what is an Apple user to do? Keep your beloved computer locked up? With the threat of loss, or theft of Apple devices being a reality, many companies and solutions have emerged in the marketplace to address this growing concern.

Read more
Install Zenoss on 10.9 Mavericks with VMWare Fusion
bash-scripts
osx-sys-admin

Install Zenoss on 10.9 Mavericks with VMWare Fusion

If you are a network (or systems) administrator, you know how crucial it is to have the right tools for the job. One of the toughest tools to really nail down is a network monitoring tool. Although there are plenty of such tools out there, they range from the over-priced to the under-featured. Where do you look for any sort of middle ground where features don’t lose out to price?

Read more
10.9 Deploying Mac App Store Packages
bash-scripts osx-sys-admin
casper-munki

10.9 Deploying Mac App Store Packages

If your like me then your happy that Apple has made several of their wonderful software titles free recently, specifically iLife and iWork for Mavericks. Apple has a defined workflow for deployment of these systems. Their method is to have companies enroll into their Volume Licensing Program once enrolled you can download apps from the app store and the iOS store and deploy these seamlessly to your devices with Profile Manager for Mavericks.

Read more
10.9 Mavericks, AutoDMG a match made in heaven
bash-scripts osx-sys-admin
casper-munki

10.9 Mavericks, AutoDMG a match made in heaven

If your like me then you have an entire organization of users who are itching to get their hands on the latest Mavericks operating system and have been told to wait, we are testing. Truth is that its already been tested. I tested it all through the various developer builds and the issues have for the most part been very minimal which is great for a .0 release. However the issue really has been how are we going to deploy it.

Read more
10.9 Auto Enrollment Profile Manger Package
bash-scripts osx-sys-admin
casper-munki

10.9 Auto Enrollment Profile Manger Package

Many years ago when I was managing a fleet of computer using 10.6, I thought that I was a master systems administrator because I had all my computers managed by MCX. It took me years to get MCX working properly across all my systems, but it saved me countless hours of time and energy managing preferences and remote settings for new and existing systems. This made my life so much easier, as I no longer had to manually configure each system individually.

Read more