Settings in Directory Utility
*Do everything shown below BEFORE binding to the domain.
User Experience Tab:
Mappings:
With 10.5 and 10.6 I provided UID and GID attributes. This caused nothing but grief with 10.7. I don't need the attributes at this time so they can be ignored. I imagine this might become an issue should we ever entertain roaming profiles.
Administrative:
If you want everyone logging on to the computer to be in the Administrator group, click the "+" icon and add domain users. At Lewis & Clark College, it is usually no issue to have users (Staff and Faculty) be Administrators of their own workstations.
With 10.5 and 10.6, after binding to the domain, the domain would be automatically added to the front of the groups listed, ie LCLARK\domain users. However, with 10.7 this does not happen and does not seem to be of any concern.
Bind to Your Domain
**Be sure that the computer ID does not already exist in the Domain. I've found a lot of problems are due to the fact that a computer ID already exists. Sometimes you can overwrite but it's just easier to have it not be there in the first place. Talk to your AD administrator for more information.
Reboot. Watch for the red dot to go away. It takes anywhere from 5 - 15 seconds at my location. Once you have created a mobile account, you can log in while that red dot is still there however you will not be a local administrator, per the settings above.
Here's my minor issue:
The local administrator account we use on the Macs here is, cleverly, called Administrator. There is also an Active Directory account with an equally clever name of Administrator. Sometimes Lion, even though it authenticates local accounts before Domain accounts, will grab the AD information for Administrator. Lion gets very confused and loads a generic profile, almost like the Root profile. The user has no privileges and most programs will not launch. If you check the group associations, the account is attributed to several Domain groups. The only way to get out of this purgatory is to reboot. My work around has been to create a local Administrator with a different name, one that does not exist on the Domain.
