Active Directory account doesn't show AD group membership in terminal, and drive mounts fail

Does your AD setup require your Macs to be moved to another OU after binding? We have a "staging" OU and if a machine is left there, it will get disabled after x days. If you have access to Active Roles, you should be able to find the object (Mac) there and see what's up.

No, the Macs are joined to the correct OU as part of the AD binding.

Dumb question, but do you utilize a Time Server (System Pref's / Date & Time)? Seems that if you're bound OK and working, then something changes, it could be something like that.

Yes, our Macs are using a time server/Apple.

Some AD deployments block group enumeration for non-Windows bound clients. Sometimes this is done in academic environments per a strange reading of FERPA rules. It is possible to provide exceptions for computer objects, or by OU. You might want to check other longer established Mac AD-bound clients and see if there is a different behavior and see what the differences might be.

hey Guys;
just to further what boettchs said, had a similar issue with snow leopard. did notice a time server drift. wrote the following script to use the DC as my time server. seemed to have cleared the "weirdness" up:

#!/bin/bash
sudo systemsetup -setusingnetworktime off sudo systemsetup -setnetworktimeserver "name or ip of your dc"
sudo systemsetup -setusingnetworktime on

LS

That's what I was thinking. We have our AD servers and all clients use the same internal Time Servers to avoid the drift/offset. If it gets beyond 5 minutes - which I think is the norm - it will keep you from authenticating. I don't know if it's a good idea to use an external Time Server or not - never seen that done with any of my work environments.

thank you all for the comments! i will test the script for setting the time server.

is any one else seeing this?

For us it seems to be on and off. Some times we can pull ad groups other times we can only pull local groups.