This issue of “AD users losing Admin rights when off the Domain” is a wee head scratching moment that comes up from time to time.
Having recently updated the script I use workaround this issue, I decided it was time for a blog post.
The script, an explanation of the script & the issue itself are detailed below.
If your environment is based around Active Directory, chances are you may leverage Active Directory Certificate Services (ADCS) as your internal public key infrastructure (PKI). The certificates from which may be used to authenticate clients to various services within your organisation.
As MacAdmins, we may need to configure our Macs to request certificates from our ADCS, below are some hopefully helpful tips that might make that easier.
UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link. The Wiki on the GitHub project replaces the details below.
Over the past two posts, I have detailed two issues with 10.9
- No Password Expiration Warning At The Login Window
- The “Local Items” keychain
In looking at resolving issue 1, I revisited Peter Bukowinski’s excellent ADPassMon. This is a great app, but has never quite suited my environment, as such I grabbed the code off of GitHub & got stuck in.
This has resulted in me, on this most foolish of days & with a nervous excitement, announcing my ADPassMon fork. In time I hope this fork joins the is committed to the main release.
So why did I go to all this trouble? What does it do? Read below.
UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link.
The “Local Items” keychain is something that you may have the misfortune of running into when changing passwords via an external directory service due to password expiry or a using forgetting their passwords in Mavericks.
I spent some time tackling it when forking ADPassMon to not only update Users passwords not via the pref pane, just through ADPassMon, & then also updating the users keychain password.
Below are my observations on the new keychain.
We image our Macs with a partition for the System data & another for the User data.
That, in turn, allows us to image the Macs preserving the user data.
Except the permissions will be incorrect on the home folders, for our solution to this, see below.
Infrequently we’ve been seeing the below error on some iDevices after enrolling into our MDM solution.
“Cannot Get Mail. The connection to the server failed”
Plugging those devices into a computer running iPhone Configuration Utility would reveal the following errors in the logs.
“The operation couldn’t be completed. (DAErrorDomain error 111.)”
Realising we had maybe a more Exchange side issue, we looked at the logs on the Exchange Server we were connecting to.. these logs contained the following errors:
UPDATE: Since 8.61+ User information can be submitted following the method outlined here.
For couple of years now i’ve ran various flavours of the below script via a login policy on my Mac clients.
The purpose of this script is to first check if the user is a network user, & if so then perform a lookup of their account against AD grabbing information that can then be submitted to the JSS in the relevant fields as per the above.
See below for the script:
UPDATE: Now works with Lion as it reads the correct node name as seen in Directory Utility.
Having recently started a new role, I needed a mechanism for my Mac users to map drives & printers at login.
Script Logic’s Desktop Authority is used by my new employs PC Admins to mount drives & printers on the PC Clients.
This is using AD Security Groups to map both drives & printers & I decided to follow this methodology for the Mac clients.
This solution actually has 3 parts;
- AppleScript App
- Postflight Script
And below, I’ll piece it all together.