Jamf Nation Community

hamishedmondson · ‎06-09-2016

Hi all,

We recently had Casper set up and I'm weighing up the various ways to achieve different key tasks. In terms of AD, I like the simpler nature of Config Profiles vs scripts, policies, extension attributes etc. The profile seems to work well, having tested it during deployment and ongoing management, but the delegation of admin rights to AD groups is inconsistent. When I imagine a machine, users within the Domain Admins and Enterprise Admins groups should be granted local admin rights. This is configured correctly in the profile, and the correct information shows in directory utility on the local machine. But when a domain admin logs in they can't unlock prefpanes, aren't in the sudoers file etc.

The domain bind itself seems to be working fine, domain users can log in, authenticating to shares etc. is working fine, and the directory status shows as connected in sysprefs. Time drift isn't an issue, and we have our machines looking to our DC for NTP anyway. Everything about the domain bind seems to be working except the admin rights.

What's odd is that I tried modifying the profile to remove the [DOMAIN] prefix from the admin group entries in the profile, and that didn't work so I changed it back, but upon doing so it suddenly started working. But upon re-imaging the same computer (not removing from the JSS, just re-imaging with a base config), it's broken again. Obviously modifying and re-pushing the profile after every re-image isn't workable, but it tells me that this function is working in some form, and it's probably something else conflicting with the profile. I have no idea what that could be though, as our setup is very simple right now.

Anyone run in to this issue with profiles for AD bind, or know where I should start looking to troubleshoot this?

SGill · ‎06-09-2016

What do you see on the affected Mac when you run this command?:

dsconfigad -show

Your AD admin groups should show up in the "Allowed Admin Groups" section:

ComputerName (IP Address Here)
Active Directory Forest          = domain.edu
Active Directory Domain          = domain.edu
Computer Account                 = ComputerName$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
  Use Windows UNC path for home  = Disabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = not set
  Mapping user GID to attribute  = not set
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = YourAdminGroup1,YourAdminGroup2
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 14
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

Difficulties you are seeing with this could also be related to how your AD is setup onsite, though.

hamishedmondson · ‎06-09-2016

Thanks for the reply. Both groups are showing up in the dsconfigad output.

What's odd is that the actual config being pushed out is identical to how it's been for as long as I've been here, it's simply being pushed out by a profile now and the admin groups have stopped working. If I manually bind a machine with the exact same settings as the profile pushes, it works. And prodding the profile as I described earlier made it work too.

Jamf Nation Community

AD Profile issue - admin groups