Losing administrative rights

macos administrator active-directory user-account

I have a handful of Mac's running Mavericks and up. Each Mac is generally used by 1-3 people. Each person is a member of a specific AD group.

Pre-deployment we added that AD group to the "Allow Administration By" field with "domain\groupname" format. Pre-deployment and shortly after deployment, the end users were able to administer the Macs without issue. They could escalate processes with their credentials.

Since then, none of the Macs recognize our users as administrators anymore, myself included (I'm in a separate AD group membership that was added at the same time). We then started going into each user profile and checking the "Allow user to administer this computer" checkbox, which again worked for a time but no longer does.

We have started falling back on the local administrator user account to manually authenticate when needed, but we're not able to share that password with end users.

The following link is what I used for reference: https://support.apple.com/en-us/HT202112

Is there something we're missing? Why would the administrative behavior work for a time then just stop?

Edit: This is not a duplicate to AD User as an administrator on the Mac?. I have tried all of the steps outlined in the link I originally referenced. The key issue is that I do actually get local administrator privileges for a short period, but then for some unexplained reason, all users but administrator lose their privileges and no longer escalate privileges.


This sort of pain isn't practically avoidable. The solution is to unbind your macOS computers from the domain and use a product like Nomad or Apple Enterprise Connect to get the password sync, kerberos certificates that allow single sign on without all the pain of binding.

  • Jamf Connect is the best of both worlds now - https://www.jamf.com/products/jamf-connect/

Alternatives are the open source Nomad (which exists alongside with it's commercial version Jamf Connect) and Enterprise Connect that integrates a local password without needing to bind to AD.

  • https://www.jamf.com/jamf-nation/discussions/17757/about-enterprise-connect
  • https://nomad.menu

Related

Prevent websites from taking over audio on iPhone?
Colouring text in a notification message created by AppleScript
Force an App to Nap
Extract /var/mobile/containers/data/application from an IPhone or backup
Saved a file in the wrong location and I cannot retrieve it
Finding the folder a note is stored in in Notes
Mid 2014 Macbook Pro randomly stops responding (keyboard and trackpad won't do anything)
Is there a way to schedule an iOS app to open at specific times?
Any way to make a transparent Keynote background?
Simulate a 13 inch display on 15 inch MacBook Pro
How can I upgrade an old iMac from 10.6.8? [duplicate]
Approve This iPhone: Reset Protected Data