In this MacEnterprise list thread about printing authentication, Greg Neagle mentions that:
Under Leopard, all local users are members of lpadmin, but I think network users are not. So this method won't grant network users CUPS rights.
To confirm Greg's suspicions, I ran the following shell snippet.
$ for CHECKUSER in mobile_account_user network_account_user local_account_user
do
/bin/echo "--- $CHECKUSER"
for CHECKGROUP in authedusers consoleusers interactusers netaccounts localaccounts netusers lpadmin
do
/bin/echo -n "$CHECKUSER in $CHECKGROUP: "
dsmemberutil checkmembership -U "$CHECKUSER" -G "$CHECKGROUP"
done
done
This loops through the fictional accounts, "mobile_account_user," "network_account_user," and "local_account_user." These accounts are, as you might expect, as a locally-cached mobile account from a network directory, a wholly network directory-based account, and a simple local admin account. While the accounts presented here are fictional, the results were confirmed on a live system bound to a directory service.
The rest of the snippet determines if the accounts are members of any of the specified computational groups that debuted in Leopard. The last group checked is the "lpadmin" group. By looking at these group memberships, we can determine whether Leopard thinks that the account being tested is a local or network account.
Running the snippet above, with the right accounts available, produces the following output:
--- mobile_account_user
mobile_account_user in authedusers: user is not a member of the group
mobile_account_user in consoleusers: user is not a member of the group
mobile_account_user in interactusers: user is not a member of the group
mobile_account_user in netaccounts: user is a member of the group
mobile_account_user in localaccounts: user is not a member of the group
mobile_account_user in netusers: user is not a member of the group
mobile_account_user in lpadmin: user is a member of the group
--- network_account_user
network_account_user in authedusers: user is not a member of the group
network_account_user in consoleusers: user is not a member of the group
network_account_user in interactusers: user is not a member of the group
network_account_user in netaccounts: user is a member of the group
network_account_user in localaccounts: user is not a member of the group
network_account_user in netusers: user is not a member of the group
network_account_user in lpadmin: user is not a member of the group
--- local_account_user
local_account_user in authedusers: user is not a member of the group
local_account_user in consoleusers: user is not a member of the group
local_account_user in interactusers: user is not a member of the group
local_account_user in netaccounts: user is not a member of the group
local_account_user in localaccounts: user is a member of the group
local_account_user in netusers: user is not a member of the group
local_account_user in lpadmin: user is a member of the group
So, it appears mobile and local users get added to the lpadmin group automatically in Leopard, but network accounts do not.
Note that I didn’t check whether membership in the “admin” group made a difference or not. I also didn’t isolate for that factor.
I found it interesting that the mobile account is a member of “netaccounts” but not “localaccounts.” (By group membership alone, I’m not sure you could identify whether an account was a mobile account or not. Yet, that kind of test is part of the point of having these computational groups in the first place.)