Skip to main content

I am testing a new setup. Mac is joined to an AD domain. User is in the Administrator group. When I login to the Mac on site, the user has Admin, Managed, and Mobile roles, as it should. When I login to the Mac off site, the user is missing the Admin role. The user needs to have the Admin role also when not logging in off site.



Any idea why this is happening and how I could fix this?

We were using this script on a login policy scoped to the LDAP groups we wanted added to have local admin rights on laptops.



#!/bin/bash

#Checks if the currently logged in user is a local admin and adds them if they are not

#Is to be used in conjunction with another script that determines their AD groups to decide if they should be added

TheGroup=$(dscl . read /Groups/admin GroupMembership)

TheUser=$3

echo "$TheGroup"

echo "User to be added is $TheUser"

if [[ "$TheGroup" == *"$TheUser"* ]]

then

    echo "The user is already a member of the admin group"

else  

    echo "Attempting to add the user to the admin group"

    dscl . append /Groups/admin GroupMembership $TheUser

fi

This is one of many threads on this topic... @jerryh

This is actually supposed to work this way...

What @RobertHammen said.



I have a post on this here.

@jerryh As mentioned previously, this is by design. I've had a ticket open with Apple engineering about it for a couple years asking for a change in this behavior, but have gotten nowhere with it.



Our testing has shown that @bentoms script is the best workaround, but we have yet to deploy it.

Reply


Terms & ConditionsCookie settings