ad mobile accounts admin rights and login startup items

[siddhartha]

binding 10.5.2 users to ad.
in the directory access plugin i give the users admin rights.
when my users leave the network, they loose those rights, unlike 10.4.11

cylinder of destiny pah

also in system prefs , account pane cannot access the login items options.

only way to do so is right click on the dock.

[larkost]

The solution to this is to create a local group (use Wrokgroup Manager from the ‘Server tools, and aim it at localhost). Then add the an AD group that everyone s in to that, and give that local group admin rights.

And the system prefs things is a long-standing bug. Apple has fixed it a couple of times, only to have it come right back.

[dds]

The bad part about the workaround above for Admins like me who manage a master NetRestore image is that while you can configure a NetRestore master image with the local admin group using WGM/DSCL, you cant nest the AD group into the local group until the Mac has been imaged and bound to AD. Thus you still have to add the AD group later and this is an extra step in the deployment process. The whole point of having my local admins in an AD group is that once the Mac is bound to AD, I can manage that group from a central location and it requires no extra steps (other than joiningg to AD of course, which is pretty painless)

My environment:

I assign local admin rights to certain users based on an AD group called “Mac Power Users” (original, eh?). If you are in that group, lucky you!, because that means you are a local admin. Its designed for managers and executives etc. I work with a lot of scientists and programmers who need full system access (and they usually can be trusted too)

However, most of my Mac power users happen to also be laptop users with MacBooks (mobile users). Heres the rub. When they leave the AD domain on road trips, (and thus arent connected to the AD domain anymore), their AD group memberships are lost and they considered arent local admins anymore. Which means they cant run sudo, they cant add printers, they cant change time zone info, they cant install apps from packages, etc. Denied!

Their AD name and passwords are cached locally, but their groups are not. They have no problem logging into the MacBooks on the road, they just can acquire the local admin status since the AD groups info isn’t available.

So…is this a bug or is this normal behavior? I ask because I swear that back in the Tiger days my Macs would retain AD group info – even when they were off the LAN remotely.

[jdyck]

Just want to confirm that Leopard is NOT caching AD group membership. I had this same problem but a little different in that all my MCX settings assigned to an OD group with AD groups as members work ONLY while I’m plugged into the network. As soon as I take the machine out of the network I lose all my MCX settings. Exact same setup, same OD group, but with an AD USER rather than a GROUP and it works fine. Definitely something screwed up with Group membership caching, will be filing a bug today.

[dds]

Agreed.

Leopard is NOT caching AD group membership. Works fine when connected to the LAN and AD domain, but as soon as I take the machine out of network I lose all my AD group membership info.

I filed a bug report on February 5th. (5725079). The ticket has been opened for 6+ weeks(!) and I have yet to have anyone at Apple respond. ‘All quiet on the western front.’ Feel free to cross-reference my bug report.

-D

[jdyck]

dds, I went into my ticket for the same problem and added a note referencing your ticket. Hopefully we’ll see a resolution soon as this is a deal killer for my environment with 1000s of laptops…

[bentoms]

Hi guys,

Silly question but are you mac users setup with mobile accounts?

[jdyck]

Not sure about the other folks, but mine certainly are mobile accounts, and since we’re talking about being able to take them off the network I’d assume most of the others are also. In my situation if I drag an AD USER into the OD managed group it works fine, it’s only when I drag an AD GROUP that the problem surfaces. Also, while ON the network it works, just when you take the network (and access to the AD servers) away that you lose all membership settings.

[bentoms]

The reasoning is that we have to specify in the AD plugin that our ad users create a mobile account at login, (it’s not a PHD or MHD), & then the cache seems to stay.

Just thought I could help!

[jdyck]

That may be worth a try – I need to double check but I think I specified mine through OD. It works (in the sense that there is a mobile account created that shows up in the Accounts preference pane and is labeled as a Mobile, Managed account). But like previously mentioned, as soon as you take it off the network and re-login you no longer have any MCX settings. So if your Dock, for example, is set through OD, then when you login you get a very basic dock (we’re getting Finder and Trash), and if you are limiting applications, then when off the network the user can run any application. I’m not in the office to try today but will on Thursday when I return.

[siddhartha]

anybody solve this yet?

[jdyck]

It’s mostly working for me, from a combination of Apple updates and a bit of workarounds…

Apple has updated this so that it caches at least some groups, and I’ve met them halfway by making sure that the managed OD group contains AD groups with direct user members, rather than the abstracted AD group of AD groups containing AD users that I had before. It means the OD group membership isn’t quite as “clean” as I might have wanted, but it works so I won’t complain too much.

Hope that helps.

Jeff

[siddhartha]

not using od so can’t use your solution. but i did manage to get a loginhook script to work. email me if you would like it.

[Author]

Posts