Using OSX server profiles to configure our fleet of Active Directory connected Macbooks.
When our laptops are not connected to the internal network (or via VPN), their AD group membership is lost. Sudo is locally configured to allow an AD admin group access to sudo, however when AD is unavailable, users can no longer sudo.
Best solution would be to allow group membership to be cached locally, but since I believe this to be impossible (read: undocumented), I'm searching for a plist that would allow me to add the local user (using %shortname) to the sudoers file.
Best Answer
You can cache AD credentials by creating a "mobile account" on each machine. From Directory Utility > Active Directory > open disclosure triangle > User Experience > Create mobile account at login. Although, I will warn you, I have had some permissions issues when 'creating a mobile account' after the home folder/user has already been created.