# Active Directory groups with local admin rights



## tiga (Apr 14, 2006)

I have configured Directory Access in Tiger 10.4.6 on a Powerbook G4 to authenticate logons to our domain. Users who belong to an AD group I have added as "Allowed to Administer this computer" are not getting admin privileges when they logon.

Thanks for any help


----------



## -Monkey- (May 5, 2006)

tiga said:
			
		

> I have configured Directory Access in Tiger 10.4.6 on a Powerbook G4 to authenticate logons to our domain. Users who belong to an AD group I have added as "Allowed to Administer this computer" are not getting admin privileges when they logon.
> 
> Thanks for any help



Hi, I think maybe the problem you're having is down to the way your company's AD is set up. In my own organisation, AD groups refer to their members by their Fully Qualified Domain Names (FQDN), as opposed to say cn, recordName, sAMAccountName or whatever. 

For example, say whereas my user recordName in AD is John.Smith, the reference to me in the group members list may actually be something like: *CN=WYZ239, OU=User Accounts, OU=User Directory, DC=Region, DC=Company, DC=com*. OS X simply cannot resolve these FQDNs in order to look up the group members referred to. The Windows PCs obviously have no such problem with that however. Why oh why Apple didn't just make sure OS X does all this AD stuff in _exactly_ the same way as PCs do is beyond me. Almost like they don't _want_ it to work properly for us  

Short of getting your AD schema modified (not usually an option, especially in larger corporate networks) there's little you can do about it. I've gathered that most large ADs are set up in this way, i.e. group members referenced by their FQDNs. Maybe that's the default setting (?) I wouldn't hold my breath waiting for Apple to deal with this issue.

Hope this helps.


----------

