I had a user that was set up to administer an OS X machine. That user is an AD account, with mobile accounts enabled. The user's AD group is set to allow administration using the directory utility.
I was contacted by the user while he was on the road, saying that he couldn't install a program. It would ask for an administrative user and password, and give a dialog bounce when he entered his information.
When he got to one of our offices, he connected to their network and it let him install the application.
Does the settings for users in an AD group allowed to administer the machine only work when the machine is in communication to AD servers, even with mobile accounts set up to allow caching of user credentials? Is there a way to cache the fact that user Bob is able to administer the machine without creating a separate user account?
Best Answer
I have encountered the same issue with our Mountain Lion image for our Macbook Pro machines when they are connected to our (2008 R2) Domain. When connected they are able to Administer, but when disconnected the ability to Administer is removed. I even enabled administration by the Domain Users Security Group, but this did not help.
What I do to correct this issue is ensure the mobile account has been created on the machine, then log in with the hidden local admin account, disconnect all networking (turn wi-fi off and unplug from lan), then restart the machine. Log in once again with the local admin account, then set the "Allow user to administer this computer" flag for the user's mobile account. You have to then restart the Macbook once more (for the change to be embedded). You can then either log in yourself using the local admin account or allow the mobile user to log back into the machine and turn the networking (wi-fi) back on, or plug back into the network, depending on your architecture. Yes it is a manual process, but it is the only one I have found so far that works.
When the machine is connected to the domain it can validate the Domain security group the user is part of, and set the Administration option appropriately. I can only surmise that OSX does NOT store Domain security information, so that when disconnected from the Domain the security group cannot be determined, so it reverts to the "local" mobile account option (which we have now set to allow administration). I do not know if this same issue applies when using Open Directory.
I hope this helps.