How to setup MAC Local Administrator Rights for QAS Users
You can set the following setting by doing the vastool configure command.
1 -Click on Application folder
2 - Click on Utilities
2- Click on Terminal.app
4 - cd /opt/quest/bin
5 - sudo ./vastool configure vas vas_macos admin-users johnd@example.com
The above command will modify the /etc/opt/quest/vas/vas.conf for you.
You can also set the setting manually in the file. Here is the some information from the AuthenticationServices_4.0_MacAdminGuide.pdf on how to setup Local Administrator Rights for QAS Users.
QAS allows you to give local administrator rights to QAS users on individual Mac OS X systems. This gives a user the ability to administer his own system while still using Active Directory for authentication. It also allows Mac OS X system administrators "admin" access on Mac OS X systems without a shared local account.
To Grant QAS Accounts Administrator Rights :
1. Modify the /etc/opt/quest/vas/vas.conf file and add the following section to the
QAS configuration using a text editor:
[vas_macos]
admin-users = johnd@example.com
For example, with the pico text editor, enter:
$ sudo pico /etc/opt/quest/vas/vas.conf file
Note: If there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy.
For the value of the admin-users key, use a comma-separated list of Active Directory User Principal Names (UPN) for QAS users with administrator rights. The Domain Users option also supports groups of users.
2. Specify the group in the form, Domain\groupname.
Either step ensures that QAS processes the new configuration.
3. Verify that the configured users have administrator rights by checking their group memberships using the following command line (the example is for a user called jdoe):
$ groups jdoe
If jdoe was correctly configured to have local administrator rights, you see the local admin, appserveradm, and appserverusr groups listed in the output. The jdoe user is then able to use his user credentials for authorizing administrative tasks started from the System Preferences application.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center