Tuesday, March 27, 2012

OS X mobile user is not recognized as an admin

I've run into the problem more and more as we move our Mac users to laptops. I have an Active Directory security group setup for them, and assign that group admin rights in Directory Utility when binding the Mac to the domain. However, if the Mac cannot access a domain controller and instead uses the mobile credentials, that user does not have admin privileges until the next time they login while connected to the network.

You'd think this would be a simple thing for Apple to include, but at least there is an easy workaround. To get around this:

1. Login as the domain user if you haven't already. This will create a mobile profile for them on the machine
2. Shutdown
3. Disconnect from the network
4. Boot up and login using a local admin account
5. Open System Preferences->Users & Groups, and unlock it if necessary
6. Click on the domain user from step 1 and check the box marked "Allow user to administer this computer"
7. Close and reboot

If you want to test this, leave the network disconnected and login with the domain user account. You should now have admin privileges on the machine in your mobile account. I don't know why I didn't think of this sooner, but thanks to this article for the resolution.