Active Directory user on logon screen

Discussion in 'Mac OS X Lion (10.7)' started by qbiq, Oct 19, 2011.

  1. qbiq macrumors member

    Joined:
    Jul 22, 2011
    #1
    The scenario is like this, i got one local "Admin" account on the machine and one AD user.

    On the logon screen i got the local user "Admin" and after that i got Other.. Which i can use to logon with the AD username without any problems.

    Can i set so the AD user is "default" on the logon screen so i only have to type that passwd for that AD user?
     
  2. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #2
    If you select the option for "Mobile Accounts" you can.
     
  3. qbiq thread starter macrumors member

    Joined:
    Jul 22, 2011
    #3
    The AD is controlled from a Windows 2003 server, the mobile thing is only if you are using a OS X Server, right?
     
  4. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #4
    No, goto System Preferences -> Users -> Find user and click Mobile Account

    What this does is cache's the AD account locally and uses AD for authentication and Kerberos only and stores everything locally like it was a normal local account.
     
  5. Blipp macrumors 6502

    Joined:
    Mar 14, 2011
    #5
    I'm going to derail this topic for a second to ask you an AD question since you seem to know what you're talking about.

    In our environment we have all of our AD users set to be administrators on their Macs by default. This isn't my choice but it's just something we're forced to deal with. When users log in with their AD credentials they are automatically created as an admin and their credentials are cached. When you go into "Accounts" is shows the administrator box checked and grayed for the user since the setting is locked in. If the user then takes the computer home (most of our Macs are laptops) their cached credentials don't hold administrative rights off our network. What this forces us to do is:

    -Have a tech sit down with each user
    -Have them log in on the network for the first time
    -Remove the network cable and reboot the computer
    -Log in as the local administrator account (non AD account)
    -Manually check the "allow user to administer this computer" box for that user's AD account

    Is this really the only way for this to function or are we completely missing something?
     
  6. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #6
    Thats how its suppose tow work. Remember when you are mobile its just caching the credentials and the home folder (no policies.) A way around this is to write a script that runs post bind to add the network user to the local admin group.

    Something like this should work:

    dseditgroup -o edit -n . -u current_local_admin -p -a $USER admin
     
  7. qbiq thread starter macrumors member

    Joined:
    Jul 22, 2011
    #7
    Uh, where am i supposed to see the Mobile Account? I don't find that option :-O
     
  8. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #8
    [​IMG]

    Found this screen cap on the google.
     
  9. qbiq thread starter macrumors member

    Joined:
    Jul 22, 2011
    #9
    Strange, i don't got that option. The AD user is a user with Administrator rights, is there anything else i need to setup for the AD user? :-O
     
  10. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #10
    Can you post a screen shot of your System Preferences -> Accounts Pane

    Something isn't right.
     
  11. qbiq thread starter macrumors member

    Joined:
    Jul 22, 2011
  12. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #12
    Unlock the Pane does the Mobile Account un grey?
     
  13. qbiq thread starter macrumors member

    Joined:
    Jul 22, 2011
    #13
    Doesn't matter if i do that, still the same options. Anyone?
     
  14. Mattie Num Nums macrumors 68030

    Mattie Num Nums

    Joined:
    Mar 5, 2009
    Location:
    USA
    #14
    Open up the Directory Utility, unbind and change the options to where you have to add a mobile account.
     

    Attached Files:

Share This Page