We have multiple users running on Apple Macs in our environment, day to day they are Admins of their local machines. This is done my adding a group to the domain configuration to allow administration.
When the user isn't in the office however they lose this right, if they dial into a VPN it will occasionally temporarily re-grant rights however is there a way to make this more permanent?
I found this question while i was about to ask a similar question.
I think we are both in the same boat but i can "fix" your issue, but my issue goes one step further.
When you Bind your Mac machines to the Active Directory domain and you "Allow administration by" your Domain Group, this allows users to administer this machine while on the domain. (image 1)
I have found that to give FULL local admin rights, you need to go back to Users & Groups, unlock the settings using an admin account, select the user, and tick "Allow user to administer this computer" (image 2). That user will now have Admin rights ON & OFF the network.
Hope that fixes your issue and i will continue to search for my answer :)
So you're constantly moving them out of the admin group? Granting and removing admin rights on an as needed basis?
Seems like a lot of work on your end and I'd highly recommend getting a mac mini server and Apple Remote Desktop. The amount of time that can save you is beyond the price of it.
But, if you're attempting to make people Admin's and leave them that way their are a few things you'd need to do. Check your AD settings and make sure the macs are bound properly, there are tons of resources for that online. The computers will stil have to occasionally check in with the AD/OD to get system preferences. Also make sure your creating local accounts.
Yet, the easiest way to handle all of this is to go into sys prefs, accounts and give the user admin rights there.
