We have a Macintosh being used by many people. They use Active Directory so they can get their own home directory in which documents can be cached, credentials are partitioned from other users, etc. The machine is running 10.9.
The problem is that they periodically get a keychain error, where they're not synced after changing on the AD server. I don't know if the problem originates with a dialog box not being checked or a communication issue between server and machine (although there shouldn't be any problem with that…implementation of keychain and AD integration?)
We tried a solution suggested by an Apple engineer; turn off mobile accounts, hoping that there wouldn't be a keychain issue if the home directory doesn't persist on the Mac (no keychain file, no complaints about incorrect password.) The on-site IT person said that in testing, it appears that the home directories still persist across logoffs and restarts.
Using a local login doesn't have the keychain issue, but then users will log in and download documents, keep themselves logged into services like email, etc, making it easy to leak data to different people.
The onsite person wants to run a periodic script that just deletes home directories or the keychain files, but I'm afraid this is more of a band-aid rather than a solution to the problem.
Am I missing something with the not-creating-a-mobile-account settings to keep home directories from persisting? Or am I looking at the wrong approach to the problem? I'd prefer to have the OS solution rather than third party software if possible.
Best Answer
have you tried a guest account? perfect for kiosk-type walk up and walk away needs. they dont' have full permissions, and all their files disappear at log out.
does this sound like a good fit? in combination of a forced log out after x minutes idle.
http://support.apple.com/kb/PH11186