4 Replies Latest reply: Jul 4, 2013 10:50 AM by MRCUR
MRCUR Level 2 (425 points)

Hi everyone,

 

We have all of our Macs (running 10.7) bound to AD through the native plugin. We have the AD plugin set to create mobile accounts. We create three local groups on each machine and add the equivilent AD groups to the local groups. For instance, we have a local group called Students which has the member DOMAIN\AD Students. We then use local managed preferences to launch a login script to map drives for these accounts, which works correctly based on group membership.

 

We've now set these same three local groups to have mobile account expiration. On a test machine, we set it to 2 days. We then logged in with a test account and rebooted, logged in again, and rebooted. After waiting all week, the account is still there (along with all of the other mobile accounts, but we don't know exactly when those students had logged in).

 

Is there any place to check where the last time a user logged in? Does our setup sound like it should even work?

 

Thanks!

 

-MRCUR

  • MRCUR Level 2 (425 points)

    Anyone have a guess?

  • MRCUR Level 2 (425 points)

    When logging in with an AD user, the "lastLoginTime" is not set on the mobile account. This seems to be the root cause of the accounts not expiring as expected, as the lastLoginTime is used to determine when the account should expire.

     

    This unfortunately seems like expected behavior when using AD accounts as opposed to local or OD accounts.

  • Peter Greco Level 1 (35 points)

    Has there been a solution to AD accounts and account expiry? I've used this with great success on 10.68 but has been causing distress with 10.84. Any solutions would be greatly appreciated.

     

    Pete

  • MRCUR Level 2 (425 points)

    Unfortunately this is still an issue for us on 10.8.4 as well. We've pretty much abandonned the idea of using mobile AD accounts and having the OS automatically delete them.