This issue of “AD users losing Admin rights when off the Domain” is a wee head scratching moment that comes up from time to time.
Having recently updated the script I use workaround this issue, I decided it was time for a blog post.
The script, an explanation of the script & the issue itself are detailed below.
If your environment is based around Active Directory, chances are you may leverage Active Directory Certificate Services (ADCS) as your internal public key infrastructure (PKI). The certificates from which may be used to authenticate clients to various services within your organisation.
As MacAdmins, we may need to configure our Macs to request certificates from our ADCS, below are some hopefully helpful tips that might make that easier.
UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link. The Wiki on the GitHub project replaces the details below.
Over the past two posts, I have detailed two issues with 10.9
- No Password Expiration Warning At The Login Window
- The “Local Items” keychain
In looking at resolving issue 1, I revisited Peter Bukowinski’s excellent ADPassMon. This is a great app, but has never quite suited my environment, as such I grabbed the code off of GitHub & got stuck in.
This has resulted in me, on this most foolish of days & with a nervous excitement, announcing my ADPassMon fork. In time I hope this fork joins the is committed to the main release.
So why did I go to all this trouble? What does it do? Read below.
UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link.
The “Local Items” keychain is something that you may have the misfortune of running into when changing passwords via an external directory service due to password expiry or a using forgetting their passwords in Mavericks.
I spent some time tackling it when forking ADPassMon to not only update Users passwords not via the pref pane, just through ADPassMon, & then also updating the users keychain password.
Below are my observations on the new keychain.
On testing Mavericks I started seeing the above prompt when logging in.
We image our Macs with a partition for the System data & another for the User data.
That, in turn, allows us to image the Macs preserving the user data.
Except the permissions will be incorrect on the home folders, running the below linked script resolves this issue 🙂