4 Replies Latest reply: Jul 2, 2012 12:25 PM by harmane
Marc Monaro Level 1 Level 1 (75 points)

Hi Group!


We have a local Admin account on all Macs, enterprise wide, for local and remote administration.

All Macs are joined to Active Directory. Our users DO NOT have Admin rights.


On ALL our LION Macs (10.7.4), when joined to Active Directory, we lose functionality to the local Admin account.

We can log into the local Admin account, but the desktop is useless. Nothing opens. We cannot create any files/folders without getting an Access Denied error.

AND then best part... everything on the Desktop, files/folders, are gone! Almost like a bran spankin' new account. With no access to anything locally.


Any thoughts?




Mac Pro, Mac OS X (10.7.3)
  • Strontium90 Level 4 Level 4 (3,700 points)

    I am guessing you used the same name for the local admin account that you used in AD?  If so, then you are likely authenticating to the domain but being dropped into the local admin's account.  Try this.


    Pull the ethernet cable and reboot.

    Now try and log in as the local admin.  What are the results?


    If you have a name conflict, then the best advice is to change the name of the local admin account.  You did not name it administrator, did you?

  • Marc Monaro Level 1 Level 1 (75 points)

    Hi Strontuim90, thanks for the response!


    No, the Admin account is a local account. Never AD'd. And it's the same on all our Macs. Name too!

    But the Admin is account is named, 'ADMIN'. Not ADMINISTRATOR.

    Not sure if that has any consequence!


    I'll try the ethernet cable trick.

  • Strontium90 Level 4 Level 4 (3,700 points)

    I understand it is local.  But, if I create a local account named mmonaro and there is a domain account named mmonaro, then which one wins?  There are cases in which what you describe could result from a name conflict.  Consider this. The local Admin account has a UID of 501 and some GUID value generated at account creation.  At that time, the home folder was created and permissions were set to the GUID value of the local admin account.  Then the machine was bound to a domain that happen to have an account with the same name but different GUID.  So, the issue could be that you are logging in to the machine using the short name and possibly the same password (bad idea) and instead of giving you the rights to the local admin account you are pulling the GUID value of the domain account.  But, you are mapped to the same home folder since the name is the same.


    This is a theory but based on what you've described and what I've seen in the past, this sounds like a plausible explanation for your woes.

  • harmane Level 1 Level 1 (0 points)

    I was having this issue up until about 15 minutes ago and had in fact created a local admin account named "Administrator". I was able to get into that local admin account by unplugging from the network and then re-created my local admin account with a username of "admin". Rebooted and still could not get into the local admin account. Unplugged again and was able to log into the local admin account after reboot. I also could not log into my personal domain account as a side issue. This was also related to using a local account of the same name which wasn't completely deleted after creating an image of my profile.


    Once logged into the local admin account, I then plugged in the ethernet cable while on the User and Groups section of Sys. Prefs. > Login Options and an option appeared to allow network users to login at login window with a line through the selection button. I clicked on option and saw no users or groups where selected. I changed it to all network users and rebooted connected to the network. Once I did that, I was both able to login to my personal domain account as well as the local admin account. I have no idea if that is the solution or the client just need a couple more reboots for everything to settle but it seems to be functioning.


    I just checked a 10.6.8 client and it has the same option to allow network users login privileges, although in a slightly different place, but by default all network users are selected. I am positive I did not change this manually on this client. I also use an edited APS script for binding clients to AD, adding a firmware password, the location for apple computer accounts in AD, and adding AD groups allowed to manage apple clients. This is the first Lion client I've used with the script so maybe there is something in there that needs to be explicitly set to allow network users login rights.