According to the documentation, if we want a specific network user to be a local admin on a Mac, we are supposed to add the posixAccount extention to a user's nds account so we can specify the gidNumber value of 80, and cause the user account to be in the admin group.

The problem is in doing so, you are forced to set a uidnumber as well. If you leave this at zero, you can no longer log in with that account because the uidNumber is wrong. You could fix this by making Kanaka only use self generated uids and ignore the new value on the account, but that is not the default setting nor is this issue documented anywhere. (Maybe it should be?) Or you could look up the uid number kanaka generated and enter that manually, but that is not easy. The only way I know how is to the user information from the directory editor on a Lion system.

So I scrapped all that and now I add the posixGroup extention instead, i can specify the gidNumber without having to enter a uidNumber, and this still seems to work just fine. Kanaka seems to find the gidNumber regardless of what extension was added to apply it to the user account.

Does anyone know if it is safe to use posixGroup? Its less confusing and less work for our technicians.