Cool Solutions

ZENworks 11.2 Mac OS X Tools #1 : Grant Local Administrator ZAC SuperUser Rights



By:

April 17, 2012 11:28 am

Reads: 4477

Comments:1

License:
Free without Warranty

Download zacosxadmin

The ZENworks OS X agent (ZAC) is based on the ZENworks Unix agent. By default, both of these agents only grant SuperUser rights to the “root” user, which is a standard best practice in the Unix world. However, on OS X the “root” user is disabled by default, and best practice for OS X is to do everything with another local administrative user instead of enabling or using root.

So, whose best practice do you use? This script furthers OS X best practices by granting a local administrative user SuperUser rights in ZAC without permanently enabling root or requiring manual intervention. Once the local admin has SuperUser rights to ZAC, any other ZAC user changes can be done by this administrator and we never have to think about “root” again.

The script works by temporarily enabling root using OS X’s “dsenableroot” command, using “Expect” to SSH into the workstation from itself, running the appropriate ZAC commands to grant privileges, and ends by running dsenableroot again — this time to DISable the root user (including wiping root’s temporary password).

Script syntax is very simple:
/path/to/script/zacosxadmin.expect adminusername adminuserpassword newrootpassword
and the script is suitable for deploying from Terminal, ZENWorks itself, Apple Remote Desktop, or whatever other non-Novell Mac deployment system you are going to be replacing with ZEN :) .

More documentation is in the script’s own comments. I have tested it on OS X 10.5, and it should be thoroughly forward-compatible. Please let me know what your experience is with it, whether you find it useful, and how it might be improved.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Cool Tools, Technical, ZENworks, ZENworks Configuration Management, ZENworks Patch Management

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

1 Comment

  1. By:jlodom

    Line 43 may need a semicolon, like so:
    expect “(yes/no)?” { send “yes\r” ; exp_continue }

    I will test and create an update soon.

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Comment

RSS