We recently had Casper set up and I'm weighing up the various ways to achieve different key tasks. In terms of AD, I like the simpler nature of Config Profiles vs scripts, policies, extension attributes etc. The profile seems to work well, having tested it during deployment and ongoing management, but the delegation of admin rights to AD groups is inconsistent. When I imagine a machine, users within the Domain Admins and Enterprise Admins groups should be granted local admin rights. This is configured correctly in the profile, and the correct information shows in directory utility on the local machine. But when a domain admin logs in they can't unlock prefpanes, aren't in the sudoers file etc.
The domain bind itself seems to be working fine, domain users can log in, authenticating to shares etc. is working fine, and the directory status shows as connected in sysprefs. Time drift isn't an issue, and we have our machines looking to our DC for NTP anyway. Everything about the domain bind seems to be working except the admin rights.
What's odd is that I tried modifying the profile to remove the [DOMAIN] prefix from the admin group entries in the profile, and that didn't work so I changed it back, but upon doing so it suddenly started working. But upon re-imaging the same computer (not removing from the JSS, just re-imaging with a base config), it's broken again. Obviously modifying and re-pushing the profile after every re-image isn't workable, but it tells me that this function is working in some form, and it's probably something else conflicting with the profile. I have no idea what that could be though, as our setup is very simple right now.
Anyone run in to this issue with profiles for AD bind, or know where I should start looking to troubleshoot this?
What do you see on the affected Mac when you run this command?:
Your AD admin groups should show up in the "Allowed Admin Groups" section:
ComputerName (IP Address Here)
Active Directory Forest = domain.edu
Active Directory Domain = domain.edu
Computer Account = ComputerName$
Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Disabled
Network protocol to be used = smb
Default user Shell = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled
Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = YourAdminGroup1,YourAdminGroup2
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain
Difficulties you are seeing with this could also be related to how your AD is setup onsite, though.
Thanks for the reply. Both groups are showing up in the dsconfigad output.
What's odd is that the actual config being pushed out is identical to how it's been for as long as I've been here, it's simply being pushed out by a profile now and the admin groups have stopped working. If I manually bind a machine with the exact same settings as the profile pushes, it works. And prodding the profile as I described earlier made it work too.