Authentication Services allows you to give local administrator rights to Authentication Services users on individual Mac OS X systems. This gives a user the ability to administer his own system while still using Active Directory for authentication. It also allows Mac OS X system administrators "admin" access on Mac OS X systems without a shared local account.
To grant Authentication Services accounts administrator rights
[vas_macos] admin-users = email@example.com
For example, with the pico text editor, enter:
$ sudo pico /etc/opt/quest/vas/vas.conf
Note: If there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy.
For the value of the admin-users key, use a comma-separated list of Active Directory User Principal Names (UPN) for Authentication Services users with administrator rights. The Domain Users option also supports groups of users.
Either step ensures that Authentication Services processes the new configuration.
$ groups jdoe
If jdoe was correctly configured to have local administrator rights, you see the local admin, appserveradm, and appserverusr groups listed in the output. The jdoe user is then able to use his user credentials for authorizing administrative tasks started from the System Preferences application.
The password hint is displayed for all Active Directory users when you have Mac OS X configured to provide password hints. The password hint is used to notify a user of a website where they can reset their password, or to remind a user that the account they are using requires a domain password. The default value for the authentication-hint is "Windows Domain Password".
Before Mac OS X will display authentication hints, you must enable the "Show password hints" option through the log in options.
After enabling password hints, after several incorrect login attempts, the password hint displays.
You can manage this hint centrally on the domain controller through Group Policy.
Note: For security reasons, if a mapped user changes his password hint, it is intentionally reset to the generic Windows domain password hint the next time he logs in.
Authentication Services is compatible with Apple’s FileVault disk encryption, introduced in Mac OS X 10.7. In order to use FileVault with an Active Directory user, you must first create a mobile account for that user on the Mac OS X client. A Mac OS X mobile account has a local home directory that can automatically sync with the user’s network home directory.
To encrypt your disk
A popup message displays explaining that you must log out and log back in to create the local home folder.
Note: Once you enable FileVault unlock for a user account, if you subsequently delete the account from Active Directory, you must also delete the local user account to disable FileVault unlock for that user.
The encryption can take several hours, depending on the size of your disk, during which time you can continue using your computer. You can monitor the encryption process by returning to the FileVault tab in Security & Privacy preferences.
After you enable FileVault, your Mac OS X will initially boot to an unencrypted disk partition and ask for your password to unlock the encrypted partition. Because this separate partition does not have access to Authentication Services and Active Directory, you must use your most recent locally cached password. Before the local cache is updated, if you need to unlock the encrypted disk after a password change, either use your old password or click the Recover Key to unlock the drive. Once the drive is unlocked, although it says you must reset your password, you can ignore the prompt and log in with your recently changed account password.
You can find more information about FileVault in these articles by Apple Support: