I came across an issue with one of my mobile users that was unable to get admin access off network. As soon as they connected to the corporate network their admin rights would return. I did a bit of searching and found this post on the Centrify forums about the issue. Turns out that it has something to do with the AD cache not matching up the domain group with the local admins. This command will force add the user to the local admin account instead. The following os x mobile account off network fix should do the trick.
I decided to give the command line suggestion a go and it worked a charm.
sudo dseditgroup -o edit -a [username] -t user admin
I connected the machine to the corporate network, used one of my domain admin accounts to run the CLI and substituted the username. I tested this by disconnecting the laptop from the network and the user keeps their admin credentials.