Jamf Nation Community

bmarks · ‎12-08-2015

I know the default for a computer record expiring is 14 days in OS X. My question is, what triggers syncing? I don't know AD well at all. Does a Mac periodically "check in" with AD or does this communication only occur when you try to do something like mount a network share? For example, if a Mac was on the network but did nothing for 15 days, would the record expire?

wdpickle · ‎12-08-2015

Simple answer is, yes. If a machine does not reconnect to AD within the specified period of time you will lose the trust relationship. We set ours to 90 days to cover summer vacation (we are a K-12).
We have some kiosk machines that lose the trust every 90 days and we have to go and un-join/re-join them to our domain to allow "normal" users to log in.

bmarks · ‎12-08-2015

@wdpickle Thanks. So, just to be clear, is that because your kiosks don't connect to any network resources even though they are powered on and connected to the network?

wdpickle · ‎12-08-2015

The kiosk machines (Mac and Windows) are in common use areas for internet use and library research and have a "generic" user logged into them. When the machine is restarted it logs in as the generic user locally and does not connect to AD.
If a user needs access to personal directories, or shares, they can log out the generic user and log in as themselves. Each AD user log in resets the 90 day clock. If the users can not log in they put in a help desk ticket. Just a side note: the local users can NOT update the machines, an AD user must log in to update any software on the machine.

Jamf Nation Community

AD Computer Record Expiration