Help

AD Administrator role missing when logged in off site

jerryh
New Contributor

Posted on ‎09-22-2016 06:27 PM

I am testing a new setup. Mac is joined to an AD domain. User is in the Administrator group. When I login to the Mac on site, the user has Admin, Managed, and Mobile roles, as it should. When I login to the Mac off site, the user is missing the Admin role. The user needs to have the Admin role also when not logging in off site.

Any idea why this is happening and how I could fix this?

0 Kudos
5 REPLIES 5

Look
Valued Contributor III

Posted on ‎09-22-2016 07:53 PM

We were using this script on a login policy scoped to the LDAP groups we wanted added to have local admin rights on laptops.

#!/bin/bash
#Checks if the currently logged in user is a local admin and adds them if they are not
#Is to be used in conjunction with another script that determines their AD groups to decide if they should be added
TheGroup=$(dscl . read /Groups/admin GroupMembership)
TheUser=$3
echo "$TheGroup"
echo "User to be added is $TheUser"
if [[ "$TheGroup" == *"$TheUser"* ]]
then
    echo "The user is already a member of the admin group"
else  
    echo "Attempting to add the user to the admin group"
    dscl . append /Groups/admin GroupMembership $TheUser
fi
0 Kudos

scottb
Honored Contributor

Posted on ‎09-23-2016 01:29 PM

This is one of many threads on this topic... @jerryh

0 Kudos

RobertHammen
Valued Contributor II

Posted on ‎09-23-2016 07:26 PM

This is actually supposed to work this way...

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎09-23-2016 11:43 PM

What @RobertHammen said.

I have a post on this here.

0 Kudos

ooshnoo
Valued Contributor

Posted on ‎09-26-2016 09:02 AM

@jerryh As mentioned previously, this is by design. I've had a ticket open with Apple engineering about it for a couple years asking for a change in this behavior, but have gotten nowhere with it.

Our testing has shown that @bentoms script is the best workaround, but we have yet to deploy it.

0 Kudos