We have a pretty large deployment of macs at my company. 10.5.8, 10.6.4, 10.6.5, and 10.6.7. All are bound to our 2003 AD via the built-in plugin. They are bound during imaging with Casper v8.1. I’ve found that with the 10.6.7 image that we are rolling out now, standard mobile accounts are loging in as admin accounts when bound directly to a custom OU in AD (i.e.: OU=Macintosh,OU=Computers,OU=Cleveland, etc). However when bound to the generic computers CN, these accounts do not log in as admins, and the computer record can then be moved to the custom OU without consequence. However yesterday we did have one computer (10.6.7) bound to the generic computers OU, logged in as a standard mobile account, restarted, logged in again as the same mobile account, but this time was an administrative account. Unbind and rebind seemed to fix it, but this worries me.
I am seeing the same problem with OS 10.6.4 macs, imaged last year, and not upgraded (OS-wise) since they were rolled out. On the 50 I tested, 90% of them came back with at least one “standard” mobile account in the admin group on the mac
My question is has anyone experienced this before with 10.6.x and how did you resolve it? We have 600 macs here that I can’t have our techs running around and binding/unbinding computers, especially since we don’t know if that’s a permanent fix (it seems not to be). It’s worth noting that this was not a concern last year when we deployed new macs with OS 10.6.4 — no standard mobile accounts (unless otherwise specified by the “administrative” tab in the AD plugin) automagically became admins.
TIA! Please let me know if you need more information. I’m at a loss as to where to even begin to look.
Andrew
.
.
Comments are closed