---

Has anyone else seen this happen?

---

Honestly, you will find most of us stopped AD binding years ago. Unfortunately, apple REALLY does not want you AD binding anymore. However, I suggest moving your Admin access check to using local groups rather than AD groups for stability. 

Yeah, AD binding is like imaging...🪦

I knew that the Jamf community hasn't been fond of AD for some time now. Maybe it's time for us to give Jamf Connect another look. I'd tried hard to avoid using AD. I even managed to get a Mac to use Google for it's directory binding, but I couldn't figure out how to mass deploy it through Jamf or how updating the certificate for it was going to work. It just seemed odd that the system upgrade would only partial break the binding.

When you say, local groups, do you mean local groups on the Mac? I see a bunch of scripts for adding admin access for individual users, but nothing for linking access to group membership in Jamf or assigning access to a group pushed from Jamf.

While AD binding isn't ideal...sometimes it's needed.  But what we do is create a local user account for the user and then use the SSO configuration profile to connect that local account with AD.  

What you can also do if you have accounts that you know should be admin is create a script that checks the user and make sure they are in the admin group.  If not, puts them in it.  

Thanks for the info, I will keep it in my mind.