Querying user information for Active Directory users

When you run commands or use applications that look up user information in the directory, the local Mac directory service is always consulted first before the look-up request is made to Active Directory. If a local user exists with the same name as a UNIX profile name that has been defined for the zone, a lookup request such as id username will return the UID and GID associated with the local user account from the local directory service rather than the information associated with the UNIX profile defined in Active Directory.

For example, if you have a UNIX profile in Active Directory for the user mia with the UID of 10024 and the user’s primary group is mia with the GID of 10024 and the user is also a member of the Active Directory group users and GID of 10001, running the id mia command returns the following information from Active Directory:

uid=10024(mia) gid=10024(mia) groups=10024(mia), 10001(users) 

However, if there is also a local user account with the same user name of mia, but with a UID of 502 and a primary group named mia with a GID of 502, running id mia returns the information for the local user retrieved from the Mac directory service, then any additional group membership information retrieved from Active Directory. For example:

id mia
uid=502(mia) gid=502(mia) groups=502(mai), 10001(users)

Because the Mac directory service is queried first, the information for the local user mia takes precedence over the information defined in Active Directory. To avoid retrieving the information for a local user instead of the UNIX profile defined in Active Directory, you should make sure that the UNIX profile user names in Active Directory are different from the local user or disable local user accounts.