Catalina 10.15.3 Update Breaks AD Domain Users Admin & sudo Access

MrMacintosh.com - 10.15.3 Update Breaks Active Directory Domain Users Admin and sudo Access.
10.15.3 Update Breaks Active Directory Domain Users Admin and sudo Access.

The Catalina 10.15.3 Update Breaks Active Directory Domain Users Admin and sudo Access.

The macOS Catalina 10.15.3 Update is only about two days old and is already receiving mixed reviews.

The GOOD:

The BAD:

Have you noticed anything new that is fixed or broken in the new update? Let me know!

Active Directory Domain Admin Access Removed!

This issue was first reported in the MacAdmins Slack a few hours after the 10.15.3 update was release.

I just installed the 10.15.3 update and now I can’t admin elevate using an AD domain account. This was working this morning pre-update and nothing has changed on the AD domain.

The domain account is in a security group that is set in Directory Utility > Active Directory as allowing administration. I can authenticate with the account successfully in Terminal using su, it’s just the admin rights that are broken.

MacAdmin User aaron

A few other users started to report the same issue after Aaron did.

Let’s Examine the issue.

The issue will most likely be reported by a user who says this…

I updated to 10.15.3 and when I use sudo I get this error.

User is not in the sudoers file. This incident will be reported.

Reported to who? Am I in trouble now???

User

Let’s check to see if Active Directory Group “Domain Admins” has admin access on your Mac.

/usr/sbin/dsconfigad -show

This command will give you a list of all your Active Directory Settings.

The screenshot below is what you will see AFTER the 10.15.3 Update.

MrMacintosh.com - 10.15.3 Active Directory Domain Admins sudo problem.
The Domain Users group group was removed and is now “not set”

This is what you SHOULD see.

MrMacintosh.com - 10.15.3 Active Directory Domain Admins sudo problem.
This is what you SHOULD see, Allowed admin groups = domain admins.

Quick and easy command to show just the Allowed admin groups value.

/usr/sbin/dsconfigad -show | /usr/bin/awk -F= '/Allowed admin groups/ { print $2 }' | /usr/bin/awk '{$1=$1};1'

HT goes out to Eric Holtam (@eholtam) for the command!

You could still have the issue even if “Allowed admin groups” shows domain admins.

In one of my tests to confirm this issue after the 10.15.3 update finished, I still had the domain admins group but my admin access did not work.

Do you use a custom Active Directory Admin Global Group ?

What if you use a custom AD group like “Pretendo_Admins” ?

You can have the same issue.

I did not have this issue after updating

Did you use a profile to bind? This is one example that I was unable to test.

Was the Mac connected to your directory for a few hours -1 day ? See Fix #3 below, it’s possible that the AD connector refreshed your information.

How can I fix this Problem?

The issue can be fixed in 3 ways.

  • Re-Bind to Active Directory
  • Run dsconfigad to set the group access again
  • WAIT – It was reported that the issue is fixed automatically after the Mac is left online for a certain amount of time. The configuration is refreshed. – Thanks to MacAdmins user awickert for testing this out.

To reset the domain group setting run this command.

dsconfigad -groups "DOMAIN\domain admins"

NOTE: If you use a custom AD Global group for admin adccess you need to replace domain admins with your custom group.

dsconfigad -groups "DOMAIN\Pretendo_Admins"

You can now run dsconfgad -show then check the Allowed admin groups and it should say = domain admins or your custom group.

You can also run this command to double verify the user now has admin access. (Thank you to a well known MacAdmins wizard for this command)

dsmemberutil checkmembership -U USERNAMEHERE -G admin

If the command worked you will see

user is a member of the group

If not, you will see

user is not a member of the group

Liked it? Take a second to support Mr. Macintosh on Patreon!
Become a patron at Patreon!

7 thoughts on “Catalina 10.15.3 Update Breaks AD Domain Users Admin & sudo Access”

  1. I just found this bug today on my fleet of 10.15.7 systems.

    My groups show in dsconfigad but do not work.

    manually editing the local admin group was my workaround. I want all users to be admins (deep freeze is in play) so this tested well. Hopefully it works in prod!

    `dseditgroup -o edit -a everyone -t group -L admin`

  2. I have the opposite. I have the ability to sudo with an admin user but any prompt in the GUI the password does not work.

  3. With a fresh install of 10.15.3, I have my list of allowed admin groups set by the Jamf AD Bind policy, not a configuration profile.
    A user in one of those AD groups is able to administer the computer by unlocking system preferences and changing settings. However, I cannot `sudo -s` or `sudo -i` to root using that user. It is still telling me the user is not in the sudoers file.
    So, it’s in this really weird state where I do have an AD admin in the GUI but not in the Terminal.

    1. I also have this same issue on Catalina 10.15.4 and also binding using JAMF.

      User is an admin in the GUI and in the local admin group. Only network users have this issue – local user works fine.

      I added the user to sudoers which fixes the issue. Shouldn’t have to do that, though.

    2. Hi Jeff.

      Did you ever end up resolving this issue? This still seems to be a rather annoying issue for us, when trying to deploy new Macs with 10.15.7 using JAMF.

  4. The old method of adding a group to the admin group does appear to still work.
    /usr/sbin/dseditgroup -o edit -a -t group admin

Comments are closed.

Mastodon