Jamf Nation Community

Hi All,

I'm trying to work through an issue I'm having binding in Jamf Pro.  The issue is specifically, the directory option "Allow Administration by" is not working.  This option allows AD groups like "Domain admins" to be automatically local administrators on the MacBook.

The strange thing is if I use that same AD admin account and unbind/rebind manually, the "Allow Administration by" option works.

Here's what we are doing.

1. I created a Configuration profile in the Jamf Pro Console for AD binding

2. I created a Prestage enrollment profile selected the AD binding Config. profile

3. At enrollment, I can see the AD bind Configuration profile runs.

4. once the computer is enrolled, I can log in via my AD admin login, but it does not have administrative rights on the computer.

here's some more points of data:

1. I ran the command dsconfigad -show.  Verified the "Allowed Admin groups" in the Advanced Options section included all the AD groups.  In our case it's domain admins, enterprise admins, and Desktop local admins (which is a custom global security group we use for this purpose.)

2. Even though the option "Allowed Admin groups" is not working on the Jamf enrolled computers, the binding is still good enough to log the AD use in and create a Mobile account which are also options in the Jamf binding configuration profile.

3. This was working in the past.  It stopped working some time ago.  Either when I created the new Prestage enrollment profile in the new style where you add the binding in a Configuration profile.  (a couple years ago it was directly in the Prestage enrollment profile.)  OR, when I demoted our old Windows Server 2012R2 primary AD controller and promoted the newer Windows server 2016 primary AD controller.

Anyone have any ideas?  is the AD binding profile missing needed mappings to the groups?  Why is it working when I manually binding the computer in System preferences?