by I work for a K-12 school district that uses Macs as the primary client machines. Currently our students log into the Macs with a generic account and use their AD account to attach to the file server. We are migrating our Mac laptops and desktops to use AD domain logins so the students can start logging in to the Macs with their AD account. One of our wonderful students decided to log in with their full name instead of their user id (student id) and it worked. Please note that you cannot login with the full name on a Windows machine joined to the domain so this is a Mac strangeness thing.
A bit of research showed that the Mac when creating the Mobile account for the user indexes it with 4 bits of information. So for a student id of 9999910 and name of Kelly Test the Mac creates a Mobile account indexed with:
9999910@ad.nsd.org
AD9999910
9999910
Kelly Test
The last item is the Display Name listed in Active Directory. This leads to several problems as we have several schools that have students with the same first and last names:
1. If student 9999910, Kelly Test logs into a computer and then student 9999911, Kelly Test tries to log in, her login will fail because the Mac sees that the Mobile account is already created with different credentials (e.g. 9999910′ credentials). The only way to fix this is to remove the local account.
2. If a student logs in with their full name for the first time and there are multiple students with the same name, the system helpfully presents a list of all accounts with that name (they all seem to be the same until you mouse over them to see the different user ids) for you to pick from.
Our solution is going to be a logout policy that removes the students Mobile account when then logout of the computer.