Skip to main content

Hi friends!



We're just starting to use imaged machines with users and are noticing some behavior that we didn't experience before. Our usual set-up involves configuring the OS, binding to active directory, logging in with their network account which then creates an account on the machine, and then doing whatever else is needed for their profile. Usually that login appears in the Users and Groups pane in System Preferences. We've found, however, that since using Casper Imaging that when we log in with a local admin account on the device that the Network Account/User is not listed in Users and Groups. When I go into the User folder, their files and folders are there and were created.



I'm not sure why this behavior is happening and was wondering if there is a configuration of some kind that I'm missing. Are there any other users out there that work in an Active Directory environment that configure similarly? Is there a way to ensure the account is being created correctly?



For the record, I don't have ANY configuration profiles created or scoped to any machines. At this time the JSS is really just monitoring inventory.



Thanks!

The other thing we've noticed is that when logged in as the network user we're unable to open the Users & Groups pane. That's never been an issue before. Do I need to make sure a configuration profile is in place for these machines that ensures full administrative access?

Do you have it checked to create the Mobile account?

We don't create the account in the Users & Groups panel. The account is created when they login at the Login screen with their AD credentials. Other than that I'm not sure where we could set that for new users on the device.

I think you're on to something though, @jimlee. I'll turn on mobile account at login and test that. Thanks!

Use (if you like the GUI) /System/Library/CoreServices/Directory Utility.
Turn on (as was said above) Mobile accounts under the Active Directory config tab.

Hi Everyone,



With the OS X AD plugin, if you enable the mobile accounts it will cache the AD account locally in Apple's directory services, and map AD mappings as well. All local accounts have a UID range of 500 to 999. This has been the case since like OS X 10.2 (maybe since 10.0, but I cannot remember that far back). So if I take a look at my users on my laptop:



bash-3.2$ dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'

aesopr

bcrocker_ad

test1

test2

test3

tlarkin

bash-3.2$


So I have 4 local accounts and 2 AD accounts on this laptop. Now if I run that same dscl query but only for UIDs greater than 1000, it should return my 2 AD user accounts:



bash-3.2$ dscl . list /Users UniqueID | awk '$2 > 1000 { print $1 }'

aesopr

bcrocker_ad

bash-3.2$


This is because in my AD binding I have the box checked for the AD plugin to create a mobile account, so it will cache a record to the local BSD database for each user. If you don't have that box checked it will never cache the credentials, and never make a local mapping/record of that user. Which means it won't show up in System Preferences unless they are logged in, since that would all get mapped at login, and never cached.



I hope that makes sense.



Thanks,
Tom

Realized that checkbox wasn't ticked on my AD bind. Now it looks like we're back to the norm.



Thanks, everyone!

I believe in 10.8/10.9 you do not see accounts in the Users and Groups System Preference when logged in as a local admin.

@pblake: AFAIK, the only time you don't see the User accounts in U&G is if the User ID is <500.
Otherwise, they should all show up there.

You should see all accounts in the System Preferences pane, except for Network Accounts that do not sync (create mobile accounts) records to the Mac locally.

I know this thread is old but this is the closest I have been to finding a solution.



We have all of the settings in aforementioned fixes to the OP's issue however the Username is blank in System Preferences. This is really a non issue as everything is working as expected but I am wondering if there is one last element I am missing to resolve the "blank" username. It shows up fine in the menu bar. I attached a screen shot.



Thanks in advance!

Reply


Terms & ConditionsCookie settings