Group Rights for AD users on Macs do not apply while off network
I have my Macs bound to AD and have staff user groups set to be able to administer the Macs as a part of the binding. Users create a mobile profile as well.
When on the network they have admin rights to the local machine. When they go home they can log in but the admin rights go away.
Any suggestion on how to correct this? I am used to Windows PCs just holding your rights while on or off the network and am not too familiar with the Macs rules of operation.
When on the network they have admin rights to the local machine. When they go home they can log in but the admin rights go away.
Any suggestion on how to correct this? I am used to Windows PCs just holding your rights while on or off the network and am not too familiar with the Macs rules of operation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Irwin W.
Can you post a screenshot of your group settings for admin rights in your Directory Utility? I am assuming this is where you have set your group admin rights.
ASKER
nappy_d Here is the Directory Utility information. Let me know if you see any issues.
Aaron, I am looking at Centrify as well but that may mean rethinking the entire image process. We currently use Deploy Studio to join to the domain as a part of the imaging process and I am unsure how they would work together. Of course we would rather have fewer utilities working on the machine but I am open to trying Centrify. It looks pretty good.
I will report back soon.
Screen-Shot-2013-12-05-at-9.13.2.png
Screen-Shot-2013-12-05-at-9.13.3.png
Aaron, I am looking at Centrify as well but that may mean rethinking the entire image process. We currently use Deploy Studio to join to the domain as a part of the imaging process and I am unsure how they would work together. Of course we would rather have fewer utilities working on the machine but I am open to trying Centrify. It looks pretty good.
I will report back soon.
Screen-Shot-2013-12-05-at-9.13.2.png
Screen-Shot-2013-12-05-at-9.13.3.png
The main issue I had with osx built in join is it doesn't store password hashes for off network logins. Basically that makes it unusable on laptops unless you do the whole mobile profile syncing mess.
ASKER
After months searching I must say sorry, I have found no real answer to the issue. Centrify does cover the issue the best. I thnk we may look at the full product.
ASKER
The solution works but involves a third party product. There is no solution that I have found natively in the Mac AD binding.
FYI the free centrify does the joining and login cachich you need