+ Post New Thread
Results 1 to 6 of 6
Mac Thread, RE: Active Directory Authentication How To in Technical; I understand how to do what is required on the Mac to add a machine to AD, however upon asking ...
  1. #1

    Join Date
    Sep 2012
    Posts
    12
    Thank Post
    7
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    RE: Active Directory Authentication How To

    I understand how to do what is required on the Mac to add a machine to AD, however upon asking the questions of what needs to be done server end (i.e in AD to allow the machines to then be managed) I am told it is all very complicated - no answers just cant be done that simply 'I know what it takes to add a unix machine to AD and its very complex' -
    can some confirm/explain that this is the case or is it that the person telling me this doesn't know?

  2. #2
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    270
    Thank Post
    11
    Thanked 114 Times in 95 Posts
    Rep Power
    41
    Hi

    Your post heading 'Active Directory Authentication How to' has nothing really to do with what you're really asking. Apple already provides a built-in tool (Active Directory plug-in in the Directory Utility application) for identifying, authenticating and authorizing users existing in an active directory database using their account credentials when logging into a non-Microsoft operating system.

    And that's the key to beginning to answer your real question which is about management of non-microsoft operating system workstations using the global policy management console.

    Micosoft's GPOs where only ever designed to be applicable to Microsoft operating systems. To begin to apply them to something else takes a major effort as well as a deep understanding of the core technologies involved. No offense intended but this level of expertise goes beyond what most school network administrators have. Besides their salary may not begin to cover it either! Even if you've gone to the effort of altering your Active Directory schema (a schema is a set of rules that govern the behaviour of the database it's applicable for) to accommodate Mac OS X you'd have no guarantee the next Microsoft Service Pack or update won't undo the 3-5 days of work you've done. Of course if money is a problem then altering the schema is the 'cheapest' way of doing it.

    In most people's opinion it's far better to incorporate and utilise an extremely cheap Server App (£13.99) that can be ran on any current Mac hardware. Alternatively what most people go for is a MacMini Server. It has a small form factor, it's cheap and has the Server App included. The Open Directory schema (apple's equivalent of AD) is much, much smaller and won't take up a lot of hard disk space. From there all that's required is the amount of time it takes to 'learn' the software and OS. You'd have to do half of this work anyway if you're considering to or have already deployed apple hardware in your windows network infrastructure.

    If money is not an object some will consider using a 3rd-party helper application. This is installed on your Windows Servers and it acts as an 'overlay' for the more dominant and much larger Active Directory schema. The helper application takes the burden of mapping object classes and values from one schema to another out of your hands and does it all for you. Some of the most popular (and expensive) are Caspar, Centrify and Likewise. There are others which you can google for yourself.

    Your final question ' . . . is this the case or is the person telling me this doesn't know?'; I'd say the person has it about right.

    HTH?

    Antonio Rocco (ACSA)
    Last edited by AntonioRocco; 21st June 2013 at 01:31 PM.

  3. 2 Thanks to AntonioRocco:

    GirlsinIT (21st June 2013), mac_shinobi (21st June 2013)

  4. #3

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    911
    Thank Post
    201
    Thanked 80 Times in 74 Posts
    Rep Power
    52
    Simple AD Authentication with no management of applications or services should work straight out of the box using the Active Directory Utility as Rocco points out

    For management of Applications, services and controlling the end users experience you really need to invest in a MAC server or Server App (as Rocco suggests) and have it work in what they call a magic triangle setup. This setup involves using Microsoft AD for authentication and Apple OD for management of the devices.

  5. Thanks to Davit2005 from:

    GirlsinIT (21st June 2013)

  6. #4

    Join Date
    Sep 2012
    Posts
    12
    Thank Post
    7
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks to you both -
    This is what I needed (am not offended at all) I wanted to attempt to understand what the 'very complex - obviously above my silly little head' was - not just go away you won't understand. Much appreciated. :-)

  7. #5

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    10,052
    Thank Post
    3,583
    Thanked 1,123 Times in 1,025 Posts
    Rep Power
    377
    Quote Originally Posted by AntonioRocco View Post
    Hi

    Your post heading 'Active Directory Authentication How to' has nothing really to do with what you're really asking. Apple already provides a built-in tool (Active Directory plug-in in the Directory Utility application) for identifying, authenticating and authorizing users existing in an active directory database using their account credentials when logging into a non-Microsoft operating system.

    And that's the key to beginning to answer your real question which is about management of non-microsoft operating system workstations using the global policy management console.

    Micosoft's GPOs where only ever designed to be applicable to Microsoft operating systems. To begin to apply them to something else takes a major effort as well as a deep understanding of the core technologies involved. No offense intended but this level of expertise goes beyond what most school network administrators have. Besides their salary may not begin to cover it either! Even if you've gone to the effort of altering your Active Directory schema (a schema is a set of rules that govern the behaviour of the database it's applicable for) to accommodate Mac OS X you'd have no guarantee the next Microsoft Service Pack or update won't undo the 3-5 days of work you've done. Of course if money is a problem then altering the schema is the 'cheapest' way of doing it.

    In most people's opinion it's far better to incorporate and utilise an extremely cheap Server App (£13.99) that can be ran on any current Mac hardware. Alternatively what most people go for is a MacMini Server. It has a small form factor, it's cheap and has the Server App included. The Open Directory schema (apple's equivalent of AD) is much, much smaller and won't take up a lot of hard disk space. From there all that's required is the amount of time it takes to 'learn' the software and OS. You'd have to do half of this work anyway if you're considering to or have already deployed apple hardware in your windows network infrastructure.

    If money is not an object some will consider using a 3rd-party helper application. This is installed on your Windows Servers and it acts as an 'overlay' for the more dominant and much larger Active Directory schema. The helper application takes the burden of mapping object classes and values from one schema to another out of your hands and does it all for you. Some of the most popular (and expensive) are Caspar, Centrify and Likewise. There are others which you can google for yourself.

    Your final question ' . . . is this the case or is the person telling me this doesn't know?'; I'd say the person has it about right.

    HTH?

    Antonio Rocco (ACSA)
    Just want to thank Antonio for his help ref macs and AD !!

    Hopefully not side tracking, clearly knows his stuff !!!

  8. #6
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    523
    Thank Post
    25
    Thanked 76 Times in 59 Posts
    Rep Power
    26
    Just to add I was in exactly your position this time last year but couldn't be happier with the results I got. I have my iMacs attached via AD and use a mac mini server to manage them. Get yourself a mac mini server and a copy of Apple remote desktop (from app store) and your wonder why you were ever worried. The first I remotely installed software to all my imacs I could have cried for joy at how well it went and now I have upgraded my server to Mountain Lion, it has gotten even easier.
    I don't like iMacs, I don't like the people who use iMacs but if you have to have them, managing them with both AD and a mini server is a pleasure.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 25
    Last Post: 21st October 2014, 10:48 AM
  2. Active Directory Alternative HOW-TO??
    By Joedetic in forum *nix
    Replies: 17
    Last Post: 26th January 2012, 11:46 PM
  3. Importing data to Active Directory
    By fooby in forum Wireless Networks
    Replies: 3
    Last Post: 16th February 2006, 06:08 PM
  4. How do you do remote authenticated access to the intranet
    By daverage in forum Wireless Networks
    Replies: 9
    Last Post: 2nd February 2006, 02:34 PM
  5. Authenticating MRBS against Active Directory using LDAP
    By Wizzer in forum Web Development
    Replies: 2
    Last Post: 26th January 2006, 05:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •