No Breaks Focus!!! Mac OS
The Catalina 10.15.3 Update Breaks Active Directory Domain Users Admin and sudo Access.
The macOS Catalina 10.15.3 Update is only about two days old and is already receiving mixed reviews.
The GOOD:
The BAD:
Most methods of breaking into a Mac are variations on the same thing, so we're going to highlight the two easiest ways—one with a Mac OS X installer and one without—and show you how to avoid.
- You can change many keyboard shortcuts for Mac OS X applications and other applications in the Keyboard Shortcuts pane of Keyboard preferences. Learning about keys, keyboard shortcuts, and gestures Using keyboard help, you can press any key to hear its name, or type any keyboard shortcut to hear the VoiceOver command it represents.
- Go to the Apple Menu and select Force Quit. Right click the app's icon in the Dock and select Quit Run the Activity Monitor.app, identify the misbehaving app, and terminate it.
- AD Domain Users Admin Access Broken
- Custom
/etc/pam.d
modifications reset to stock
No Breaks Focus Mac Os 11
Have you noticed anything new that is fixed or broken in the new update? Let me know!
Active Directory Domain Admin Access Removed!
This issue was first reported in the MacAdmins Slack a few hours after the 10.15.3 update was release.
I just installed the 10.15.3 update and now I can’t admin elevate using an AD domain account. This was working this morning pre-update and nothing has changed on the AD domain.
The domain account is in a security group that is set in Directory Utility > Active Directory as allowing administration. I can authenticate with the account successfully in Terminal using su, it’s just the admin rights that are broken.
MacAdmin User aaronA few other users started to report the same issue after Aaron did.
Let’s Examine the issue.
The issue will most likely be reported by a user who says this…
I updated to 10.15.3 and when I use sudo I get this error.
User is not in the sudoers file. This incident will be reported.
Reported to who? Am I in trouble now???
UserLet’s check to see if Active Directory Group “Domain Admins” has admin access on your Mac.
/usr/sbin/dsconfigad -show
This command will give you a list of all your Active Directory Settings.
The screenshot below is what you will see AFTER the 10.15.3 Update.
This is what you SHOULD see.
Quick and easy command to show just the Allowed admin groups
value.
/usr/sbin/dsconfigad -show /usr/bin/awk -F= '/Allowed admin groups/ { print $2 }' /usr/bin/awk '{$1=$1};1'
HT goes out to Eric Holtam(@eholtam) for the command!
You could still have the issue even if “Allowed admin groups” shows domain admins.
In one of my tests to confirm this issue after the 10.15.3 update finished, I still had the domain admins
group but my admin access did not work.
Do you use a custom Active Directory Admin Global Group ?
What if you use a custom AD group like “Pretendo_Admins” ?
You can have the same issue.
I did not have this issue after updating
Did you use a profile to bind? This is one example that I was unable to test.
Was the Mac connected to your directory for a few hours -1 day ? See Fix #3 below, it’s possible that the AD connector refreshed your information.
How can I fix this Problem?
The issue can be fixed in 3 ways.
- Re-Bind to Active Directory
- Run
dsconfigad
to set the group access again - WAIT – It was reported that the issue is fixed automatically after the Mac is left online for a certain amount of time. The configuration is refreshed. – Thanks to MacAdmins user awickert for testing this out.
To reset the domain group setting run this command.
No Breaks Focus Mac Os X
dsconfigad -groups 'DOMAINdomain admins'
NOTE: If you use a custom AD Global group for admin adccess you need to replace domain admins
with your custom group.
dsconfigad -groups 'DOMAINPretendo_Admins'
You can now run dsconfgad -show
then check the Allowed admin groups
and it should say = domain admins
or your custom group.
You can also run this command to double verify the user now has admin access. (Thank you to a well known MacAdmins wizard for this command)
dsmemberutil checkmembership -U USERNAMEHERE -G admin
If the command worked you will see
user is a member of the group
No Breaks Focus Mac Os Download
If not, you will see
user is not a member of the group