Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1385: local "administrator" account on Mac losing its admin privileges

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:06 AM

Applies to: Centrify DirectControl in Workstation Mode on all Mac OS X

Problem:
After installing DirectControl & joining the Mac to the AD domain in workstation mode, local "administrator" or "admin" or "whatever_name_used_for_localadmin" user account will lose admin privileges.

Side affects: local admin account can login but cannot unlock system preferences using its own credentials or inability to run commands using sudo in terminal etc.

Cause:
When a machine is joined in "Workstation mode", the entire Active Directory domain is treated as a zone which means any user in the Active Directory can log into the Mac machine.

By default in Active Directory domain, there exists a built-in user called "administrator". After the machine is joined to the domain, adclient finds this account in AD hence expects an AD password vs local which leads to login issues, losing of admin privileges problems.

The same behavior persists, if your "whatever_name_used_for_localadmin" exists in AD too.


Workaround:
Before joining the machine to the domain, please get the unix name of all the local admin accounts and add them into /etc/centrifydc/user.ignore and run the command "adreload" in the terminal.

Note: If you have already joined the machine to the domain and lost admin privileges, please follow the below steps:

1) Boot mac in single usermode by pressing  Apple logo key and 's'. See link (http://support.apple.com/kb/HT1492) for more info.
2) Next run the fsck & mount commands as shown on the screen. Typically they are:

/sbin/fsck -fy
/sbin/mount -uw /

3) Now run the below command to add "administrator" or "whatever_name_used_for_localadmin" to user.ignore

echo "administrator" >> /etc/centrifydc/user.ignore
or
echo "whatever_name_used_for_localadmin" >> /etc/centrifydc/user.ignore

Note: whatever_name_used_for_localadmin is just an example, replace it with your local admin accounts username

4) Now reboot the machine.

5) Login with the local administrator or whatever_name_used_for_localadmin to check if you got the admin privileges back.

Resolution:
Please add "administrator", "admin" or conflicting user accounts into user.ignore after installing DirectControl 4.4.0.

echo "administrator" >> /etc/centrifydc/user.ignore
echo "admin" >> /etc/centrifydc/user.ignore

Reboot the machine.

Centrify has fixed "admin or administrator" accounts in DirectControl 4.4.1 however any other admin accounts will have to be manually added to /etc/centrifydc/user.ignore. Future releases of software will warn the presence of these admin accounts when adcheck is run (prior to adjoin).

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.