Jamf Nation Community

jerryh · ‎09-22-2016

I am testing a new setup. Mac is joined to an AD domain. User is in the Administrator group. When I login to the Mac on site, the user has Admin, Managed, and Mobile roles, as it should. When I login to the Mac off site, the user is missing the Admin role. The user needs to have the Admin role also when not logging in off site.

Any idea why this is happening and how I could fix this?

Look · ‎09-22-2016

We were using this script on a login policy scoped to the LDAP groups we wanted added to have local admin rights on laptops.

#!/bin/bash
#Checks if the currently logged in user is a local admin and adds them if they are not
#Is to be used in conjunction with another script that determines their AD groups to decide if they should be added
TheGroup=$(dscl . read /Groups/admin GroupMembership)
TheUser=$3
echo "$TheGroup"
echo "User to be added is $TheUser"
if [[ "$TheGroup" == *"$TheUser"* ]]
then
    echo "The user is already a member of the admin group"
else  
    echo "Attempting to add the user to the admin group"
    dscl . append /Groups/admin GroupMembership $TheUser
fi

scottb · ‎09-23-2016

This is one of many threads on this topic... @jerryh

RobertHammen · ‎09-23-2016

This is actually supposed to work this way...

bentoms · ‎09-23-2016

What @RobertHammen said.

I have a post on this here.

ooshnoo · ‎09-26-2016

@jerryh As mentioned previously, this is by design. I've had a ticket open with Apple engineering about it for a couple years asking for a change in this behavior, but have gotten nowhere with it.

Our testing has shown that @bentoms script is the best workaround, but we have yet to deploy it.

Jamf Nation Community

AD Administrator role missing when logged in off site