Applies to: All versions of Centrify DirectControl on Mac OS X
The following group policy has been enabled and an AD security group called "Local Admins@domain.com" has been added into the list:
Computer Configuration / Centrify Settings / Mac OS X Settings / Accounts / "Map zone groups to local admin group"
However members of that group are not being detected as Local Admin users when they log into a target Mac.
How can this GP be used properly?
The group name formatting for this policy differs depending on if the target Mac systems are joined in Zone Mode or Auto Zone mode.
=== Auto Zone ===
If the Mac systems are joined in Auto Zone mode, then the format should be:
AD Group Name@domain.com
Note: This is the default format returned when using the Browse button when adding the group into the list:
=== Zone Mode ===
If the Mac systems are joined in Zone Mode, then the GP should use the UNIX group name as entered in the DirectManage / DirectControl console.
The Browse button cannot be used here and the name needs to be manually entered:
=== ======== ===
Note that if both Auto Zone and Zone mode systems are in the same environment, then both formats can be inserted into the GP at the same time:
== For Zone Mode environments only: Adding an AD group into a Zone ==
- Open the DirectManage / DirectControl console and expand to the target Zone > UNIX Data > Groups
- Right-click and select "Create UNIX Group...", search for the AD group to be added and enter a GID and UNIX group name.
- Once the GP has been configured and the UNIX profile for the AD group has been created, go to the Mac, open the Terminal and run the following commands:
adquery user -A ad_username
- Look in the unixGroups: section of the adquery output, if the user is a member of that AD group, then the UNIX group name will appear in the list:
- Once the UNIX group names matches, then the next time the user logs into the Mac, it will be recognised as Local Admin account: