the Managed By field in active directory, and what it means for a mac

At work, we integrate macs into Active Directory using the native AD plug-in in OS X. Recently my company enacted a plan to track the Managed By field in AD with the username of each person that is “assigned” to a computer. On Windows, this isn’t a problem, but on a Mac it has the unintended effect of making that particular user a local admin whenever they log into that particular mac.

Removing the user account from ‘Managed By’ in AD and restarting the mac results in this administrator privilege being removed. However this caused a lot of headaches for the IT department as this is not Microsoft’s intended implementation of this field and this issue was not in any official Apple documentation we could find, nor was it widely available on the web.

According to an engineer at Apple, that is their intended use of this field. Seems kind of nervy of them, eh?

