During prestage enrollment, the Macs are bound to AD and members of an AD group, tier2-users, is specified to be administrators. Local accounts are Mobile account enabled. However users of the group, tier2-users are no longer recognized as local administrators. I think this was working fine in Ventura, but Im running Sonoma now and all the local accounts are just recognized as Mobile accounts.
Question
Mac Mobile Users No Longer Recognized as Administrators
+10
+26Apple has not designed macOS with domain binding in mind for over a decade ago now. Its pretty safe to assume things will randomly break as new OS updates come out.
Have you check to see if the Mobile Users group is in the local admin group? If it's not, you could add it with a terminal command. You may need to update sudoers also. Either way, I strongly recommend looking in to solutions for moving away from AD Binding.
@msnowdon wrote:
During prestage enrollment, the Macs are bound to AD and members of an AD group, tier2-users, is specified to be administrators. Local accounts are Mobile account enabled. However users of the group, tier2-users are no longer recognized as local administrators. I think this was working fine in Ventura, but Im running Sonoma now and all the local accounts are just recognized as Mobile accounts.
Hello @msnowdon,
It seems like a macOS Sonoma update might be causing the issue with tier2-users not being recognized as local administrators. You could try updating your group policies or checking for any known issues with Sonoma and AD integration.
Best Regards,
James Keen
+14I have a test machine here on 14.7.1. It's bound to a Microsoft Domain. People who log on using AD accounts are getting Mobile accounts. We do have some accounts in special AD groups and they are configured in the binding because of the groups to be local administrators just like yours.
I just tested logging on with a user in that special group and it is showing as an Administrator and Mobile as expected. What have you checked? Are you the only person doing the Mac administration there?
Some places I'd be looking are in the actual binding on a problem machine and see if the expected group is there as an Administrator group. If it's not there, look on the Bindings in Jamf and see if the group is there. If it is there on the local machine you need to figure out why the machine doesn't make members of that group Admins.
Is it reproducible?
+16If you perform an unbind/rebind action, do they get their admin status back? Having lived for far too long in an org that required binding, that was often a fix for me. That does not solve the root of the problem, which is binding itself is effectively broken on macOS.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.