Issues binding to Active Directory using Jamf Pro?

ralvarezOES
Contributor

Hi All,

I'm trying to work through an issue I'm having binding in Jamf Pro.  The issue is specifically, the directory option "Allow Administration by" is not working.  This option allows AD groups like "Domain admins" to be automatically local administrators on the MacBook.

The strange thing is if I use that same AD admin account and unbind/rebind manually, the "Allow Administration by" option works.

Here's what we are doing.

1. I created a Configuration profile in the Jamf Pro Console for AD binding

2. I created a Prestage enrollment profile selected the AD binding Config. profile

3. At enrollment, I can see the AD bind Configuration profile runs.

4. once the computer is enrolled, I can log in via my AD admin login, but it does not have administrative rights on the computer.

 

here's some more points of data:

1. I ran the command dsconfigad -show.  Verified the "Allowed Admin groups" in the Advanced Options section included all the AD groups.  In our case it's domain admins, enterprise admins, and Desktop local admins (which is a custom global security group we use for this purpose.)

2. Even though the option "Allowed Admin groups" is not working on the Jamf enrolled computers, the binding is still good enough to log the AD use in and create a Mobile account which are also options in the Jamf binding configuration profile.

3. This was working in the past.  It stopped working some time ago.  Either when I created the new Prestage enrollment profile in the new style where you add the binding in a Configuration profile.  (a couple years ago it was directly in the Prestage enrollment profile.)  OR, when I demoted our old Windows Server 2012R2 primary AD controller and promoted the newer Windows server 2016 primary AD controller.

Anyone have any ideas?  is the AD binding profile missing needed mappings to the groups?  Why is it working when I manually binding the computer in System preferences?

 

1 ACCEPTED SOLUTION

cbrewer
Valued Contributor II

Are you using the format "DOMAIN\Computer Admin Group"? Maybe, as a test, try setting preferred domain controller to go to your PDC to make sure you're hitting a global catalog. Also, this is something that just doesn't always work right, depending on macOS version. I remember it was particularly bad in Catalina.

View solution in original post

8 REPLIES 8

cbrewer
Valued Contributor II

Are you using the format "DOMAIN\Computer Admin Group"? Maybe, as a test, try setting preferred domain controller to go to your PDC to make sure you're hitting a global catalog. Also, this is something that just doesn't always work right, depending on macOS version. I remember it was particularly bad in Catalina.

OMG thanks for such a simple solution.  I changed two settings.

In the AD bind configuration profile.  I put the entire host name of the PDC instead of just the domain name.  The other setting I added the PDC to the "prefer this domain server" options.  That worked.  Hooray

As for the other questions, No.  I was just using the group name without the domain\.  I saw the Apple article about and tried it but it didn't make a difference.

cbrewer
Valued Contributor II

Your only problem with that is your Macs are only going to talk to that 1 domain controller. A better solution might be to see whether or not all of your DCs are global catalogs. If every DC was a global catalog you might be able to avoid locking the config to your PDC.

Ok good thought.  I'll look into that.  actually that would solve the issue with all the other MacBooks that are provisioned without the "preferred PDC" section.  Because this solution will only work moving forward.

So actually, our BDC is also a Global catalog too.  hmmm.

cbrewer
Valued Contributor II

I think best practice these days is for every DC to be a GC. Might depend where your DCs are located at and what your connectivity is though.

I tested again.  This time I left the Preferred DC blank, but used the full host name of the PDC in the "Server" field to bind the computer.  That worked also.  So I'm just going to roll with that. 

telloalj
New Contributor

Hello, I'm new here, does your account that joins computer to the domain needs to be a member of the specific domain controller? 

 

Thanks in advance.