Unlocking Preference Panes For Non-Admin Users On 10.6 & 10.7

Standard

UPDATE: A tool called authbuddy has just come to my attention that will managed this better & for 10.7+.

Way back in November 2010 I posted a script that would unlock each secure system preference pane for non-admins, (this can be found here).

With Lion came a more granular way to achieve the same, but rather then have a script for 10.6 & another for 10.7 i’ve amalgamated them with an OS check in the script.

So if the below script runs on 10.6.x it will untick the option System Preferences > Security > “Require Password To Unlock Each Secure Preference” & allow all users to unlock the below preference panes. If the OS is 10.7.x the below are allowed on a per pane level.

  • Energy Saver
  • Network
  • Sharing
  • Date & Time
  • Startup Disk
  • Time Machine

(Thanks to John for the Date & Time 10.7 line).

27 thoughts on “Unlocking Preference Panes For Non-Admin Users On 10.6 & 10.7

  1. John

    Doesn’t seem to work on 10.7.x

    I see in the script it says if $OS == 10.6, but i don’t see anything if OS == 10.7

    • Ben Toms

      That’s correct… It’s using an if/else statement.

      So if OS = 10.6.x do something, of 10.7.x do something else.

      What errors are you seeing?

    • Ben Toms

      Actually I may be answering this the wrong way.

      Once the script has run, the preference may look locked. Can a non-admin user then unlock with their credentials?

      If so, then all is well.

        • Ben Toms

          Progress!!

          Do you need/want users to edit Date & Time? We stop our users from editing it via MCX.

          I’ll amend with those changes later. It was left in the list as in 10.6 you could only enable those listed.

          (I also updated the script as it wasn’t performing the OS checking properly).

          • John

            The Date/Time was the main thing I was looking for, we have VPs that travel and need to change their timezones.

      • John

        Ah-Ha! Figured out the culprit – there was no datetime entry in there, I used yours as a guideline and found the string in the authorization file and now it works! Thank you very much! You rock!

        • Ben Toms

          Cool & thanks. 🙂

          Can you post the line so I can add it to the script?

          I’m on leave currently & am not near a Mac.

          Tbh, I forgot about the date & time pref pane. On 10.6 there was only one option with no granularity.

          Also, is yours an AD environment? I am only ask as allowing users to change the time can lead to them changing it to outside of 5 mins of your DC’s. This (when back in the office), would stop them from being able to login.

          I’ve seen this a few times where some office/airports clock is outside of 5 minutes of your DC , so the VP changes time & then cannot login. So my VP’s use the dashboard widget.

          • John

            Date and Time setting:
            # Unlock Date and Time
            sudo /usr/libexec/PlistBuddy -c ‘Set :rights:system.preferences.datetime:group everyone’ /etc/authorization

            We are in an AD environment with an internal time server, if the users change the time, it should sync the next time they are on the lan… in theory.

            • Ben Toms

              Ty. Uploaded your addition & added a credit. 🙂

              In regards users having access.

              Yep NTP server should amend time. BUT what if they change the server?

              To change the time (& not the timezone), users will need to untick the “Automatically Update Time…” tick box. Doing so breaks the NTP sync meaning it will need to be adjusted manually.

              I might be wrong, so please check. The above is all off the top of my head.

  2. John

    No errors specifically. It copies to the backup, but doesn’t seem to modify anything. The preferences never unlock. I tried pushing through casper and just running a sudo locally on the box.

    • Ben Toms

      I’ve added a second echo to the script..

      Can you please run then test again?

      Also, if you run the script locally in something like TextWrangler or just terminal does it work?

  3. John

    I copied to a new auth.sh file, chmod to +x, signed into regular user account, opened terminal and login admin, ran under sudo, and this is what returns
    Given rights to the everyone group to unlock secure system preferences for OS …

    but nothing is unlocked.

  4. Victor

    Greetings Ben Toms

    Thank you so much for replying to my request for help on JAMF Nation.

    So, I used the script you posted and ran as is on a 10.7.4 install. Most things appeared to work except Printing. I reset the security settings with the backup copy of the original authorization file and also commented out the settings in your script for preferences I wanted to keep the locked down (Accounts, Security, Sharing, Software Update, Startup Disk and Time Machine).

    So, the amended script should open up to everyone the ability to make changes to (Accessibility, Date & Time, Energy Saver, Network, Parental Controls, Print & Scan)

    I ran the script again (after a reboot) but Printing remains problematic.

    Upon opening up the Print & Scan pane, a standard/mobile user is able to hit the “+” button to add a printer which actually then prompts you for authentication credentials of a user who is a member of the Print Administrators group, and I guess the user I was using was not as it fails, could not see anything is your script that sets rights for this print group. I can cancel this challenge and proceed to the next stage – Add Printer.

    The default list of printers that are being picked up via Bonjour is shown, but I always install under IP/Line Printer Daemon -LPD anything else is always messy or plain broke. After adding the printer IP address and selected the driver the authentication challenge for the Print Administrator is given again, proceeding further provokes a CUPS authorisation error.

    Let me see about adding the rights for the Print Administrator Group to your script and see if that resolves the issue with printing.

  5. Victor

    Hi there

    Well thanks for the printing tip, this all seems to work now under 10.7. However, under 10.8 the release command for Networking appears to be ignored, the pane remains locked (even after a reboot)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.