Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4913: Active Directory Groups no longer displayed in Network Groups section of user selection dialogs

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:17 AM

Applies to: Centrify DirectControl for Mac 5.2 and higher

Problem:

Active Directory Groups are no longer displayed in the Network Groups section of user selection dialogs in OS X:

User-added image


Cause:

Prepending the NTLM domain name to group name was introduced to improve the time in searching AD groups. This changes caused OS X to be unable to display those AD groups within the the GUI.


Resolution:
  1. Log into the Mac as Local Admin and open the following file for editing: 
    • /etc/centrifydc/centrifydc.conf
  2. Add the following line to the bottom of the file:
    • mac.group.name.prepend.ntlm.domain: true
  3. ​Save and close the configuration file.
  4. Open the Terminal and run:
    • sudo /usr/share/centrifydc/bin/dsconfig restart 
    • sudo adflush
    • dscacheutil -flushcache 
  5. The groups will now be visible in the dialogs again.


Note: Group policy can also be used to push the configuration change to all computers:
  1. Edit or create a new GPO and navigate to the following GP:
    • Computer Policies > Centrify Settings > DirectControl Settings > "Add centrifydc.conf properties"
  2. Enable the policy and add a property with the following:
    • Property name: mac.group.name.prepend.ntlm.domain
    • Property value: true
  3. Restart the Mac to have the changes be applied at the next login.
User-added image


Note:
  • This will change how the groups are displayed when running ID on an AD user:
  • Before change: 
    • MacBookProFrank:~ macadmin$ id alb 
    • uid=289408170(alb) gid=20(staff) groups=20(staff), 289407489(domain users), 12(everyone), 62(netaccounts), 289408171(test_group), 289408223(test123), 401(com.apple.sharepoint.group.1), 80(admin), 98(_lpadmin), 206(com.apple.access_loginwindow)
  • After change: 
    • MacBookProFrank:~ macadmin$ id alb 
    • uid=289408170(alb) gid=20(staff) groups=20(staff), 289407489(ALBERT3\Domain Users), 12(everyone), 62(netaccounts), 289408171(ALBERT3\test_group), 289408223(ALBERT3\test123), 401(com.apple.sharepoint.group.1), 80(admin), 98(_lpadmin), 206(com.apple.access_loginwindow)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.