Hi All,
So, yesterday I made a mistake with Configuration Profiles, and accidentally deployed my Lab profile out to staff machines. I caught it pretty quick, but it still ended up deployed to probably a dozen or so machines. Sadly, removing them from scope doesn't seem to remove the configuration profile reliably. =(
More sadly (and luckily) I had one staff machine it went out to that had a mobile account bound to AD, and the lab profile deleted his account (lab profile says delete accounts after 2 hours). Thankfully he was a new employee, and Crashplan was running, so I was able to restore his account in full. But, this really had my break out in a sweat.
So I'm curious... is there a way to have an AD bound machine create an account that isn't "mobile", in that, if something like that ever happens again, it won't delete the account. Basically, an immutable bit, but where the user still logs in with their AD credentials?
It also begs the question, if I just had a configuration profile for all staff machines that had "delete mobile accounts after X time" unchecked, would that take precedence over something that had a lesser time? I know back in MCX days how things applied... but with configuration profiles, I don't know how it figures out which setting takes priority. =/
