What would cause one person, and only one person's, login credentials to allow them to logon to any pc, but not allow that same person to logon to any mac, in an AD environment?
In addition, if you unplug any mac from the network and that same person (who has previously has logged onto that mac and has a mobile account created), CAN logon to the mac. Once you plug the network cable back into the mac, that person can not perform a basic task such as turning off the screen lock in system preferences. (as a task like this asks for the users credentials). That user can perform this task if not plugged into the network. (this is not an admin action. Any standard user can perform this task) The user can do tasks as long as the computer is not plugged into the network.
These macs can either have jamf installed or not have jamf installed. One mac we wiped out and immediately bound it to our domain.
The os's are from El cap to Mojave.
I ran verbose logging on a mac and surprisingly, there are no errors when it fails.It does have errors when another user tries to login with an invalid password. The domain controller has no errors when this user fails the login attempt. The mac just shakes its head no. It fails between 3-4 seconds. A user trying to login with an invalid account or password fails in about a minutes time.
How would you go about denying one persons login from logging in to macs only?