When our faculty/staff login on their macs using the network login, they are promoted automatically to "local admin", so they can install software and change system preferences etc. (it's campus policy that they are allowed this, not my call)
To accomplish this, the machines are configured with dsconfigad thusly:
dsconfigad -groups "OURDOMAIN\Staff_global","OURDOMAIN\Domain admins","OURDOMAIN\Info Technology" -alldomains enable
So any member of any of those three groups becomes a member of the Admin group on the computer while they are logged in.
(our macintoshes ALL use local home folders, we do not use network homes on the laptops or the desktops)
Some of these computers are laptops which they take home at night. As long as they've logged in once with it while on campus (and connected to our windows domain controller) they can continue to login, and even reboot and login while at home. The computer will have already created their home and has cached the login authentication and allows them to login even though the domain controller is unreachable.
The problem is that when they login while away from the DC, they fail to be promoted to admin status, and are unable to do things like install software.
As soon as they come back and log back in while attached to our network (and DC) they regain admin status. This lasts until they logout and have to log back in again out of sight of the DC.
For now we've told staff and faculty to avoid logging out or rebooting their laptops while they are off-campus, to avoid this issue. But sometimes it's unavoidable. Batteries die. Computers crash and reboot. Software installations or updates require a restart. Users accidentally log out.
I've contacted Apple and although they were willing to look into it (normally they won't help with anything requiring terminal) the rep I talked with was unable to find a solution.
Anyone here have any good ideas?