No Breaks Focus!!! Mac OS

The Catalina 10.15.3 Update Breaks Active Directory Domain Users Admin and sudo Access.

The macOS Catalina 10.15.3 Update is only about two days old and is already receiving mixed reviews.

The GOOD:

The BAD:

Most methods of breaking into a Mac are variations on the same thing, so we're going to highlight the two easiest ways—one with a Mac OS X installer and one without—and show you how to avoid.

  1. You can change many keyboard shortcuts for Mac OS X applications and other applications in the Keyboard Shortcuts pane of Keyboard preferences. Learning about keys, keyboard shortcuts, and gestures Using keyboard help, you can press any key to hear its name, or type any keyboard shortcut to hear the VoiceOver command it represents.
  2. Go to the Apple Menu and select Force Quit. Right click the app's icon in the Dock and select Quit Run the Activity Monitor.app, identify the misbehaving app, and terminate it.
  • AD Domain Users Admin Access Broken
  • Custom /etc/pam.d modifications reset to stock

No Breaks Focus Mac Os 11

Have you noticed anything new that is fixed or broken in the new update? Let me know!

Active Directory Domain Admin Access Removed!

This issue was first reported in the MacAdmins Slack a few hours after the 10.15.3 update was release.

I just installed the 10.15.3 update and now I can’t admin elevate using an AD domain account. This was working this morning pre-update and nothing has changed on the AD domain.

The domain account is in a security group that is set in Directory Utility > Active Directory as allowing administration. I can authenticate with the account successfully in Terminal using su, it’s just the admin rights that are broken.

MacAdmin User aaron

A few other users started to report the same issue after Aaron did.

Let’s Examine the issue.

The issue will most likely be reported by a user who says this…

I updated to 10.15.3 and when I use sudo I get this error.

User is not in the sudoers file. This incident will be reported.

Reported to who? Am I in trouble now???

User

Let’s check to see if Active Directory Group “Domain Admins” has admin access on your Mac.

/usr/sbin/dsconfigad -show

This command will give you a list of all your Active Directory Settings.

The screenshot below is what you will see AFTER the 10.15.3 Update.

This is what you SHOULD see.

Quick and easy command to show just the Allowed admin groups value.

/usr/sbin/dsconfigad -show /usr/bin/awk -F= '/Allowed admin groups/ { print $2 }' /usr/bin/awk '{$1=$1};1'

HT goes out to Eric Holtam(@eholtam) for the command!

You could still have the issue even if “Allowed admin groups” shows domain admins.

In one of my tests to confirm this issue after the 10.15.3 update finished, I still had the domain admins group but my admin access did not work.

Do you use a custom Active Directory Admin Global Group ?

What if you use a custom AD group like “Pretendo_Admins” ?

You can have the same issue.

I did not have this issue after updating

Did you use a profile to bind? This is one example that I was unable to test.

Was the Mac connected to your directory for a few hours -1 day ? See Fix #3 below, it’s possible that the AD connector refreshed your information.

How can I fix this Problem?

The issue can be fixed in 3 ways.

  • Re-Bind to Active Directory
  • Run dsconfigad to set the group access again
  • WAIT – It was reported that the issue is fixed automatically after the Mac is left online for a certain amount of time. The configuration is refreshed. – Thanks to MacAdmins user awickert for testing this out.
Breaks

To reset the domain group setting run this command.

No Breaks Focus Mac Os X

dsconfigad -groups 'DOMAINdomain admins'

NOTE: If you use a custom AD Global group for admin adccess you need to replace domain admins with your custom group.

dsconfigad -groups 'DOMAINPretendo_Admins'

You can now run dsconfgad -show then check the Allowed admin groups and it should say = domain admins or your custom group.

You can also run this command to double verify the user now has admin access. (Thank you to a well known MacAdmins wizard for this command)

dsmemberutil checkmembership -U USERNAMEHERE -G admin

If the command worked you will see

user is a member of the group

No Breaks Focus Mac Os Download

If not, you will see

user is not a member of the group