AD users losing Admin rights when off the Domain

Screenshot 2015-11-04 08.36.04

This issue of “AD users losing Admin rights when off the Domain” is a wee head scratching moment that comes up from time to time.

Having recently updated the script I use workaround this issue, I decided it was time for a blog post.

The script, an explanation of the script & the issue itself are detailed below.

Continue reading

OSX & AD Certificate Requests, some tips


If your environment is based around Active Directory, chances are you may leverage Active Directory Certificate Services (ADCS) as your internal public key infrastructure (PKI). The certificates from which may be used to authenticate clients to various services within your organisation.

As MacAdmins, we may need to configure our Macs to request certificates from our ADCS, below are some hopefully helpful tips that might make that easier.

Continue reading

ANNOUNCING: ADPassmon v2 fork



UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link. The Wiki on the GitHub project replaces the details below.


Over the past two posts, I have detailed two issues with 10.9

  1. No Password Expiration Warning At The Login Window
  2. The “Local Items” keychain

In looking at resolving issue 1, I revisited Peter Bukowinski’s excellent ADPassMon. This is a great app, but has never quite suited my environment, as such I grabbed the code off of GitHub & got stuck in.

This has resulted in me, on this most foolish of days & with a nervous excitement, announcing my ADPassMon fork. In time I hope this fork joins the is committed to the main release.

So why did I go to all this trouble? What does it do? Read below.

Continue reading

The “Local Items” Keychain In Mavericks

UPDATE: My fork of ADPassMon has now been merged with main & many changes have been made, for more information follow this link.
Screen Shot 2014-03-29 at 11.21.15 PM

The “Local Items” keychain is something that you may have the misfortune of running into when changing passwords via an external directory service due to password expiry or a using forgetting their passwords in Mavericks.

I spent some time tackling it when forking ADPassMon to not only update Users passwords not via the pref pane, just through ADPassMon, & then also updating the users keychain password.

Below are my observations on the new keychain.

Continue reading

How To: Check Your Active Directory Domains Time



So far I have posted 2 blog posts on How To: Set a Macs Time Server & How To: Sync Time With NTP via Script. Well, why am I posting this?

Continue reading

Correct AD Users Home Mobile Home Folder Permissions


We image our Macs with a partition for the System data & another for the User data.

That, in turn, allows us to image the Macs preserving the user data.

Except the permissions will be incorrect on the home folders, for our solution to this, see below.

Continue reading

iDevice Mail Error: “Cannot Get Mail. The connection to the server failed” / “The operation couldn’t be completed. (DAErrorDomain error 111.)”


Infrequently we’ve been seeing the  below error on some iDevices after enrolling into our MDM solution.

“Cannot Get Mail. The connection to the server failed”

Plugging those devices into a computer running iPhone Configuration Utility would reveal the following errors in the logs.

“The operation couldn’t be completed. (DAErrorDomain error 111.)”

Realising we had maybe a more Exchange side issue, we looked at the logs on the Exchange Server we were connecting to.. these logs contained the following errors:

Continue reading

Submit User Information From AD Into The JSS At Login

UPDATE: Since 8.61+ User information can be submitted following the method outlined here.

For couple of years now i’ve ran various flavours of the below script via a login policy on my Mac clients.

The purpose of this script is to first check if the user is a network user, & if so then perform a lookup of their account against AD grabbing information that can then be submitted to the JSS in the relevant fields as per the above.

See below for the script:

Continue reading

How To: Map Drives & Printers Based On AD Group Membership On OSX


UPDATE: Now works with Lion as it reads the correct node name as seen in Directory Utility.

Having recently started a new role, I needed a mechanism for my Mac users to map drives & printers at login.

Script Logic’s Desktop Authority is used by my new employs PC Admins to mount drives & printers on the PC Clients.

This is using AD Security Groups to map both drives & printers &  I decided to follow this methodology for the Mac clients.

This solution actually has 3 parts;

  1. AppleScript App
  2. LaunchAgent
  3. Postflight Script

And below, I’ll piece it all together.

Continue reading