Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Active Directory user on logon screen

Q

qbiq

macrumors member
Original poster
Jul 22, 2011
48
0
The scenario is like this, i got one local "Admin" account on the machine and one AD user.

On the logon screen i got the local user "Admin" and after that i got Other.. Which i can use to logon with the AD username without any problems.

Can i set so the AD user is "default" on the logon screen so i only have to type that passwd for that AD user?
 
qbiq said:
The scenario is like this, i got one local "Admin" account on the machine and one AD user.

On the logon screen i got the local user "Admin" and after that i got Other.. Which i can use to logon with the AD username without any problems.

Can i set so the AD user is "default" on the logon screen so i only have to type that passwd for that AD user?
Click to expand...

If you select the option for "Mobile Accounts" you can.
 
The AD is controlled from a Windows 2003 server, the mobile thing is only if you are using a OS X Server, right?
 
qbiq said:
The AD is controlled from a Windows 2003 server, the mobile thing is only if you are using a OS X Server, right?
Click to expand...

No, goto System Preferences -> Users -> Find user and click Mobile Account

What this does is cache's the AD account locally and uses AD for authentication and Kerberos only and stores everything locally like it was a normal local account.
 
Mattie Num Nums said:
No, goto System Preferences -> Users -> Find user and click Mobile Account

What this does is cache's the AD account locally and uses AD for authentication and Kerberos only and stores everything locally like it was a normal local account.
Click to expand...

I'm going to derail this topic for a second to ask you an AD question since you seem to know what you're talking about.

In our environment we have all of our AD users set to be administrators on their Macs by default. This isn't my choice but it's just something we're forced to deal with. When users log in with their AD credentials they are automatically created as an admin and their credentials are cached. When you go into "Accounts" is shows the administrator box checked and grayed for the user since the setting is locked in. If the user then takes the computer home (most of our Macs are laptops) their cached credentials don't hold administrative rights off our network. What this forces us to do is:

-Have a tech sit down with each user
-Have them log in on the network for the first time
-Remove the network cable and reboot the computer
-Log in as the local administrator account (non AD account)
-Manually check the "allow user to administer this computer" box for that user's AD account

Is this really the only way for this to function or are we completely missing something?
 
Blipp said:
I'm going to derail this topic for a second to ask you an AD question since you seem to know what you're talking about.

In our environment we have all of our AD users set to be administrators on their Macs by default. This isn't my choice but it's just something we're forced to deal with. When users log in with their AD credentials they are automatically created as an admin and their credentials are cached. When you go into "Accounts" is shows the administrator box checked and grayed for the user since the setting is locked in. If the user then takes the computer home (most of our Macs are laptops) their cached credentials don't hold administrative rights off our network. What this forces us to do is:

-Have a tech sit down with each user
-Have them log in on the network for the first time
-Remove the network cable and reboot the computer
-Log in as the local administrator account (non AD account)
-Manually check the "allow user to administer this computer" box for that user's AD account

Is this really the only way for this to function or are we completely missing something?
Click to expand...

Thats how its suppose tow work. Remember when you are mobile its just caching the credentials and the home folder (no policies.) A way around this is to write a script that runs post bind to add the network user to the local admin group.

Something like this should work:

dseditgroup -o edit -n . -u current_local_admin -p -a $USER admin
 
Mattie Num Nums said:
No, goto System Preferences -> Users -> Find user and click Mobile Account

What this does is cache's the AD account locally and uses AD for authentication and Kerberos only and stores everything locally like it was a normal local account.
Click to expand...

Uh, where am i supposed to see the Mobile Account? I don't find that option :-O
 
qbiq said:
Uh, where am i supposed to see the Mobile Account? I don't find that option :-O
Click to expand...

MobileAccount.png


Found this screen cap on the google.
 
Strange, i don't got that option. The AD user is a user with Administrator rights, is there anything else i need to setup for the AD user? :-O
 
Here is a screenshot.
 

Attachments

  • Screen Shot 2011-10-20 at 5.37.37 PM.png
    Screen Shot 2011-10-20 at 5.37.37 PM.png
    181.4 KB · Views: 375
Doesn't matter if i do that, still the same options. Anyone?
 
Open up the Directory Utility, unbind and change the options to where you have to add a mobile account.
 

Attachments

  • Screen Shot 2011-10-21 at 6.41.26 AM.png
    Screen Shot 2011-10-21 at 6.41.26 AM.png
    54.3 KB · Views: 447
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back