Best practices for integrating with AD suggest that you keep a local administrator account on your Mac. It's possible to create this local administrator account and keep it hidden from users.
When you unbundle a new Mac, you'll need to create an admin account anyway. You use this to install Centrify and bind to Active Directory.
When you create a local admin account, give it the name ".admin" (with a period in front).
It won't show up in the list of users under System Preferences -> Users and Groups
When the regular AD user logs in, it won't show up in the Users and Groups display.
However, when you log in with the hidden admin account, it will show up in Users and Groups.
Thanks to Steven H for the tip.
Pretty cool, but now I have to know where you've installed these hidden admin accounts. How can I see if the machine has a hidden admin account or not, is there a CLI command to show the account?
from a terminal, you should be able to use:
ls -al /Users
and how to unhidden??