I know in the unix world, if you wanted to be granular about whether a user could modify user accounts, you can specify whether they can sudo the useradd usermod commands.
I am not just looking for the answer "just make them an Admin user", because basically I want the following :
User Andy , has all admin privileges
User Betty , has all admin privileges, except for removing Andy as an Admin user.
References
[1] Best practice for installing applications for multiple users?
Best Answer
This isn't possible on OS X.
An admin user is root. All admin users are root, if they know how to do something or get into terminal, they can do anything.
You might need to set up Server or pick a tool to do this. My favorite tool for situations where you need to give users the ability to do admin things and have them be non-admin users is to deploy JAMF's Casper suite.
If your time isn't valued high and you don't mind re-inventing the wheel, you could use a tool like munki to re-implement a set of tools that allow limited
sudo
items and wrap it in your own authentication layer to reduce the chance of allowing true Admin access, but I've never seen a case where it's cheaper to really set this up than to purchase a tool designed for exactly this use case.You can still avail yourself of the sudo commands, but if you let a user be an admin privilege - they can and will have full run of the GUI versions of the tools that can create, destroy users (as well as modify the sudo files).