Cache AD group membership in local dscl or other local usable store.

Number:rdar://23438116 Date Originated:06/11/15
Status:Open Resolved:
Product:OS X Product Version:10.6+
Classification:Feature Reproducible:Yes
As per my blog post OS X does not cache group membership for AD accounts when off the network.

Steps to Reproduce:
1. Bind a Mac to AD.
2. Set "Allow Administration By:" to a security group
3. Login to the Mac when connected to the Domain as a use whom is part of the security group set in 2.
4. Verify that the user is an admin.
5. Disconnect the Mac from the domain, not unbinding.
6. run: dsmemberutil flushcache (not always needed, but speeds up the tests, the cache is not a great place to store this as it is volatile).
7. Login as the account that was an admin at step 4.
8. User will not be an admin

Expected Results:
User should be an admin still

Actual Results:
User is not an admin

10.6+, tested on 10.8.5, 10.9.5, 10.10.5


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!