Anyone know what dictates whether a user is created as an admin or a standard user when creating a mobile account for the first time? It always defaults to admin for us, but I am curious how to make it default to a standard user. Trying not to need a script that runs and converts it. :)
Question
Standard User Mobile Accounts
+8
+24Are the accounts only "admin" while in range of your domain controllers? Meaning, do they lose admin if they are taken off the network? If so, look in Directory Utility under the Administrative tab for the AD bind settings. There may be an "Allow administration by" group listed there that the accounts are part of.
Otherwise, as far as I know, new mobile accounts should be created as standard users, at least in my experience.
+8No, they do not lose admin rights when not on the network. It's there all of the time. There must be something that is elevating them because the binding we have set up in the JSS doesn't have any preferences to set if they are admin or not.
I'm also going to look at dsconfigad and if there is a flag somewhere that causes this.
+24Ok, another question. Are they becoming admins when logging onto the Mac while connected to the network? Meaning, when the accounts are created "at login"? If so, can you try pre-creating the accounts with createmobileaccount as in:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n accountnameOr are you doing that already? I'm wondering if there's some difference between the 2 scenarios.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.