+ Post New Thread
Results 1 to 10 of 10
Mac Thread, MAC Suite - integrated to AD but students see all shares on network? in Technical; Hi all, Not the most experienced person in the world with MACs but in short..... Engineer is configuring a suite ...
  1. #1

    Join Date
    Jun 2010
    Posts
    384
    Thank Post
    35
    Thanked 56 Times in 53 Posts
    Rep Power
    32

    MAC Suite - integrated to AD but students see all shares on network?

    Hi all,

    Not the most experienced person in the world with MACs but in short.....

    Engineer is configuring a suite of MACs with a mac mini server to setup a link between AD and OD, so that students and staff can login with their usual credentials and save to their My Documents and shared areas, and see the licence server for sibelius amongst other things.

    However when a student logs in they are able to browse using finder and see every possible share on the network, although not access any folder or documents unless they have the correct permissions. They are able to see folders such as finance, personnel and various others.

    The Engineer feels that it is because of the Bonjour (mDNSResponder) service but states he cannot turn it off or we will lose internet connectivity and other network services. There is no way to disable the view of the network, or prevent the students from seeing anything. On the windows network, they get the mapped drives we choose and that's it, is there no way on MACs to enforce such a policy?

    I wondered if other schools could share how locked down their macs are, and if they have the same problem, and either live with it or there is a way to hide/disable them?

    Any help would be greatly welcomed.

  2. #2
    ben604's Avatar
    Join Date
    Jan 2010
    Posts
    314
    Thank Post
    81
    Thanked 29 Times in 24 Posts
    Rep Power
    22
    We use plists through Workgroup Manager to control Finder and run an Applescript at login to map the drives how we like. We prevent access to all the pre made folders (music, video, pictures, etc) as they map locally.

    Our script maps the home folder to the "Documents" folder and hides/removes access to the rest. So all they see (and can save to) is the documents folder and any network shares.

    I can send you the plists and script if you want?

  3. #3

    Join Date
    Jun 2010
    Posts
    384
    Thank Post
    35
    Thanked 56 Times in 53 Posts
    Rep Power
    32
    Quote Originally Posted by ben604 View Post
    We use plists through Workgroup Manager to control Finder and run an Applescript at login to map the drives how we like. We prevent access to all the pre made folders (music, video, pictures, etc) as they map locally.

    Our script maps the home folder to the "Documents" folder and hides/removes access to the rest. So all they see (and can save to) is the documents folder and any network shares.

    I can send you the plists and script if you want?
    Thanks for the information @ben604 thats really useful - ill PM you my email. Thanks.

  4. #4
    pixellip's Avatar
    Join Date
    Oct 2012
    Posts
    43
    Thank Post
    7
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hello Ben604/Max power
    This issue came up today for me when playing around with our Imacs on our domain......is here a way of doing this without running it on a mac server? We have about 15 macs and no server at the moment...
    Thanks

  5. #5
    ben604's Avatar
    Join Date
    Jan 2010
    Posts
    314
    Thank Post
    81
    Thanked 29 Times in 24 Posts
    Rep Power
    22
    Hello,

    you can probably do it machine to machine, but it'll be laborious. I'd get a Mac Mini or another iMac to run Workgroup Manager/Profile Manager.

  6. #6

    Join Date
    Jul 2013
    Posts
    10
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    This is mostly likely due to the way Mac interpret hidden shares on NTFS, with Windows the $ sign indicates that the share is not to be visible in the list of shared folders. However a MAC seems to think the $ donates the end of the share path and won't look any further beyond that. The best way round this is to enable access based enumeration on the root of the users share and make sure your NTFS permissions are set accordingly.

  7. Thanks to Speedydowt from:

    pixellip (20th September 2013)

  8. #7
    pixellip's Avatar
    Join Date
    Oct 2012
    Posts
    43
    Thank Post
    7
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks Speedydowt - that was a really clearly replied message - understood. I'll take a look at that thanks a lot.

  9. #8

    Join Date
    Jun 2010
    Posts
    384
    Thank Post
    35
    Thanked 56 Times in 53 Posts
    Rep Power
    32
    Sorry to bump my old thread, but still having issues and wondered if any MAC gurus on here would be able to tell me if either of these scripts would be suitable to map the drives and printers for users instead of using workgroup manager?
    https://jamfnation.jamfsoftware.com/...n.html?id=4048
    How To: Map Drives & Printers Based On AD Group Membership On OSX | macmule

  10. #9
    TheScarfedOne's Avatar
    Join Date
    Apr 2007
    Location
    Plymouth, Devon
    Posts
    1,128
    Thank Post
    543
    Thanked 152 Times in 138 Posts
    Blog Entries
    78
    Rep Power
    79
    I've got a plist that I use to hide the "shared" section in finder. We already prevent access to the "Connect to" via Centrify. Ill post it on Monday. Nudge me via PM if i havent...

  11. #10
    speckytecky's Avatar
    Join Date
    May 2006
    Location
    UK
    Posts
    2,493
    Thank Post
    3,348
    Thanked 255 Times in 208 Posts
    Blog Entries
    3
    Rep Power
    108
    Probably lurking here but too modest to step in I'd highly recommend getting in touch with Ross Hamilton of EduMac Rebranding - How To Mac | How To Mac on this one. He sorted a similar problem for us toot sweet and it didn't cost us a shed load of dosh either.

SHARE:
+ Post New Thread

Similar Threads

  1. Unable to browse all computers on network
    By Eben in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 30th July 2013, 03:27 PM
  2. Creating Mac Domain + joining to AD
    By Rydra in forum Mac
    Replies: 8
    Last Post: 15th March 2012, 01:30 PM
  3. Script to find serial numbers of all computers on network
    By bandgeekmafia78 in forum Scripts
    Replies: 3
    Last Post: 23rd May 2011, 05:11 PM
  4. Replies: 16
    Last Post: 14th April 2011, 09:41 AM
  5. Replies: 7
    Last Post: 2nd May 2007, 06:58 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •