Hi all,
When I migrated our company's Mac users from 9 to 10.2, I was able to find a hack online that allowed standard users to modify things like date, time, and network locations. This was handy if they were traveling to a new office and needed to create a new location for that office's particular settings. Here is what I did:
I modifed the following section of the file /etc/authorization using pico:
<key>system.preferences</key>
<dict>
<key>group</key>
<string>admin</string>
<key>shared</key>
<true/>
<key>allow-root</key>
<true/>
</dict>
I changed "admin" to "staff" and saved the file. I then performed the following terminal commands:
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/Accounts.prefPane
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/Sharing.prefPane
chmod -R u=rwx,g=r,o=r /System/Library/PreferencePanes/StartupDisk.prefPane
This allowed standard users to modify date/time and network settings, but to be locked out of modifying accounts, sharing, or the startup disk.
------------------
Now, in 10.3, the file /etc/authorization has changed. I found a similar section below:
<key>system.preferences</key>
<dict>
<key>allow-root</key>
<true/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>This right is checked by the Admin framework when making changes to the system preferences.
Credentials remain valid forever.
An acquired credential is shared amongst all clients.
If the proccess that created the AuthorizationRef has uid = 0 this right will automatically be granted.</string>
<key>group</key>
<string>admin</string>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
</array>
<key>shared</key>
<true/>
</dict>
I changed "admin" to "staff", and saved the file. I then logged in as a regular user and tried to unlock date/time (in 10.2, it was already unlocked). When it asked me to authenticate for a user in group "staff", I entered the standard user's name and password, but was denied access.
Do you know what I might have done wrong? Is there an easier way to do this? The control panels I want regular users to access are mainly date/time and network, and want them to be locked out of things like accounts, startup disk, sharing, etc.
Thanks for any suggestions.