The Catalina 10.15.3 Update Breaks Active Directory Domain Users Admin and sudo Access.
HP ENVY Photo 7164. Scan at high-resolution and with the help of its rear paper feed, it can handle almost any kind of printable media from blank CDs to fingernail stickers. I have been using a HP Envy 4500 printer with my iMac for 2 years using HP Easy Scan - with no issues. Today I tried to scan a document, when I press the 'scan' button on the app a pop-up appears stating: 'HP Scanner 3' will damage your computer this file was downloaded on an unknown date. Report malware to Apple to protect others.
The macOS Catalina 10.15.3 Update is only about two days old and is already receiving mixed reviews.
The GOOD:
The BAD:
- AD Domain Users Admin Access Broken
- Custom
/etc/pam.dmodifications reset to stock
Have you noticed anything new that is fixed or broken in the new update? Let me know!
Active Directory Domain Admin Access Removed!
This issue was first reported in the MacAdmins Slack a few hours after the 10.15.3 update was release.
I just installed the 10.15.3 update and now I can't admin elevate using an AD domain account. This was working this morning pre-update and nothing has changed on the AD domain.
The domain account is in a security group that is set in Directory Utility > Active Directory as allowing administration. I can authenticate with the account successfully in Terminal using su, it's just the admin rights that are broken.
MacAdmin User aaronA few other users started to report the same issue after Aaron did.
Let's Examine the issue.
The issue will most likely be reported by a user who says this…
I updated to 10.15.3 and when I use sudo I get this error.
User is not in the sudoers file. This incident will be reported.
Reported to who? Am I in trouble now???
UserLet's check to see if Active Directory Group 'Domain Admins' has admin access on your Mac.
/usr/sbin/dsconfigad -show
This command will give you a list of all your Active Directory Settings.
The screenshot below is what you will see AFTER the 10.15.3 Update.
This is what you SHOULD see.
Quick and easy command to show just the Allowed admin groups value.
/usr/sbin/dsconfigad -show | /usr/bin/awk -F= '/Allowed admin groups/ { print $2 }' | /usr/bin/awk '{$1=$1};1'
HT goes out to Eric Holtam(@eholtam) for the command!
You could still have the issue even if 'Allowed admin groups' shows domain admins.
In one of my tests to confirm this issue after the 10.15.3 update finished, I still had the domain admins group but my admin access did not work.
Do you use a custom Active Directory Admin Global Group ?
What if you use a custom AD group like 'Pretendo_Admins' ?
You can have the same issue.
I did not have this issue after updating
Did you use a profile to bind? This is one example that I was unable to test.
Was the Mac connected to your directory for a few hours -1 day ? See Fix #3 below, it's possible that the AD connector refreshed your information.
The BAD:
- AD Domain Users Admin Access Broken
- Custom
/etc/pam.dmodifications reset to stock
Have you noticed anything new that is fixed or broken in the new update? Let me know!
Active Directory Domain Admin Access Removed!
This issue was first reported in the MacAdmins Slack a few hours after the 10.15.3 update was release.
I just installed the 10.15.3 update and now I can't admin elevate using an AD domain account. This was working this morning pre-update and nothing has changed on the AD domain.
The domain account is in a security group that is set in Directory Utility > Active Directory as allowing administration. I can authenticate with the account successfully in Terminal using su, it's just the admin rights that are broken.
MacAdmin User aaronA few other users started to report the same issue after Aaron did.
Let's Examine the issue.
The issue will most likely be reported by a user who says this…
I updated to 10.15.3 and when I use sudo I get this error.
User is not in the sudoers file. This incident will be reported.
Reported to who? Am I in trouble now???
UserLet's check to see if Active Directory Group 'Domain Admins' has admin access on your Mac.
/usr/sbin/dsconfigad -show
This command will give you a list of all your Active Directory Settings.
The screenshot below is what you will see AFTER the 10.15.3 Update.
This is what you SHOULD see.
Quick and easy command to show just the Allowed admin groups value.
/usr/sbin/dsconfigad -show | /usr/bin/awk -F= '/Allowed admin groups/ { print $2 }' | /usr/bin/awk '{$1=$1};1'
HT goes out to Eric Holtam(@eholtam) for the command!
You could still have the issue even if 'Allowed admin groups' shows domain admins.
In one of my tests to confirm this issue after the 10.15.3 update finished, I still had the domain admins group but my admin access did not work.
Do you use a custom Active Directory Admin Global Group ?
What if you use a custom AD group like 'Pretendo_Admins' ?
You can have the same issue.
I did not have this issue after updating
Did you use a profile to bind? This is one example that I was unable to test.
Was the Mac connected to your directory for a few hours -1 day ? See Fix #3 below, it's possible that the AD connector refreshed your information.
How can I fix this Problem?
The issue can be fixed in 3 ways.
Hp Easy Scan For Catalina
- Re-Bind to Active Directory
- Run
dsconfigadto set the group access again - WAIT – It was reported that the issue is fixed automatically after the Mac is left online for a certain amount of time. The configuration is refreshed. – Thanks to MacAdmins user awickert for testing this out.
To reset the domain group setting run this command.
dsconfigad -groups 'DOMAINdomain admins'
NOTE: If you use a custom AD Global group for admin adccess you need to replace domain admins with your custom group.
Hp Easy Scan And Catalina
Dmg extractor key. dsconfigad -groups 'DOMAINPretendo_Admins'
You can now run dsconfgad -show then check the Allowed admin groups and it should say = domain admins or your custom group.
You can also run this command to double verify the user now has admin access. (Thank you to a well known MacAdmins wizard for this command)
dsmemberutil checkmembership -U USERNAMEHERE -G admin
If the command worked you will see
user is a member of the group
If not, you will see
user is not a member of the group
