Provisioning Local Admin to AD security group member created locally via Azure (JC)

New Contributor III

Hello all.

I am currently trying to implement a security group sync to our devices where the user is a member of the security group created in AD specifically for that device using the following in the Files and processes payload.


dsconfigad -groups "local-$HOSTNAME-Administrators"


The user is logging in with their Admin account via Jamf Connect which creates the account locally on the device and this account is a member of the security group for this device.

However no matter which order I do this in (user creates account first and then we add the security group OR vice versa) the user does not seem to receive elevated local admin and remains standard.

We also have Global Admin security groups pushed to each device during the AD bind and using this method any Global Admin creating an account on the device via Jamf Connect does immediately have local Admin.

I was just wondering if I am missing something to perform the additional security group addition correctly. My understanding is that I do not need to rebind the device to AD just to add additional security groups to the device.

I can confirm via


dsconfigad -show


that the groups are added, but the member regardless does not receive the elevated admin.

Am I missing something?