Standard User Mobile Accounts

danshaw
Contributor II

Anyone know what dictates whether a user is created as an admin or a standard user when creating a mobile account for the first time? It always defaults to admin for us, but I am curious how to make it default to a standard user. Trying not to need a script that runs and converts it. :)

4 REPLIES 4

mm2270
Legendary Contributor III

Are the accounts only "admin" while in range of your domain controllers? Meaning, do they lose admin if they are taken off the network? If so, look in Directory Utility under the Administrative tab for the AD bind settings. There may be an "Allow administration by" group listed there that the accounts are part of.

Otherwise, as far as I know, new mobile accounts should be created as standard users, at least in my experience.

danshaw
Contributor II

No, they do not lose admin rights when not on the network. It's there all of the time. There must be something that is elevating them because the binding we have set up in the JSS doesn't have any preferences to set if they are admin or not.

I'm also going to look at dsconfigad and if there is a flag somewhere that causes this.

mm2270
Legendary Contributor III

Ok, another question. Are they becoming admins when logging onto the Mac while connected to the network? Meaning, when the accounts are created "at login"? If so, can you try pre-creating the accounts with createmobileaccount as in:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n accountname

Or are you doing that already? I'm wondering if there's some difference between the 2 scenarios.

danshaw
Contributor II

@mm2270 - Yes, in order for us to bind to AD and set up mobile accounts we are doing this while inside and connected to the network at our corporate office. Currently we use the JSS directory binding to bind on enrollment after we image.