Mac Thread, Workgroup Manager in Technical; Okay so I have a virtual network set up on my laptop, to try and get osx and AD integration ...
5th February 2014, 02:25 PM #1
Okay so I have a virtual network set up on my laptop, to try and get osx and AD integration working (the fun im having!!!) and im trying to edit some settings in work group manager for an AD group (Test Group) and whenever I try to change some settings and click apply it throws up an error messageWorkgroup Manager.JPG. Anyone got any ideas on what is causing this as I want to throw my laptop out the window
Have been looking at this for a few months now, and before I was a complete Apple fanboy (iPhone 5, iPad mini, mac mini and macbook pro) Since then I have moved to a windows phone and am contemplating selling my two macs. Yes I have woken up to the world :P
5th February 2014, 09:51 PM #2
You usually see that error message when you're trying to write or make changes to the AD User/Group database from an application that can't make those kind of changes. Open Directory and LDAP are not the same as Active Directory so the best you can ever hope for is read only access using WorkGroup Manager. One way (there are others) to make this work is to create an OD group first using WorkGroup Manager and add/nest AD Users or Groups within it. Apply MCX from there.
Once you bind mac workstations to both directories (AD and then OD) policies will be applied.
I'm not having a go or anything but it makes no sense to blame the platform for your failings?
Antonio Rocco (ACSA)
Thanks to AntonioRocco from:
mac_shinobi (5th February 2014)
5th February 2014, 10:03 PM #3
I have some questions with regards to this if that is ok Antonio ?
Originally Posted by AntonioRocco
1.) How are you supposed to apply the MCX Settings from the Mac Server ( presuming it is in a magic triangle setup ) to the clients, do you need to add or run a utility to add all the default mcx files into workgroup manager to be applied to the clients ?
2.) Do you need to add the client computers into workgroup manager by there mac addresses of the physical LAN Connections of each client ?
3.) I presume the order that the different servers are added onto each client makes a difference ie binding to OD First and then AD or is it the other way around or what exactly ?
Did you have any guide(s) or advise on if I was starting from scratch things that need to be done to setup the OD Mac server and how to get the magic triangle setup and also how to correctly apply mcx settings to the mac clients etc etc ?
Last edited by mac_shinobi; 5th February 2014 at 10:04 PM.
6th February 2014, 12:39 AM #4
There are variations to some of your questions that go beyond the scope of this forum. IMO these would be better addressed one-to-one in a real-world situation.
Hopefully some of what follows might help though?
Fristly a brief note first regarding managed policies on a Mac that might be news to others? As of 10.7 Apple began to deprecate MCX in favour of Profile Manager. In its current version (Mavericks 10.9) you really should be using Profile Manager and not WorkGroup Manager although YMMV. You can still install the application on Mavericks and it still does work after a fashion for 10.9 clients. It should really be used for supporting legacy clients (10.7, 10.8) only.
Q1) - I apply some (not all) managed policies (either MCX via WGM or XML plists via PM or even both) sitting at a client workstation that’s preconfigured as much as possible the way the customer wants it mostly. This is done by gatthering all the plists and associated files and folders needed and loading them either into WorkGroup Manager and/or Profile Manager as well as placing key files/folders/scripts that can’t be handled by WGM or PM into the BSD sub-system. Other managed policies are applied during the deployment phase using either NetBoot, DeployStudio, Munki or a combination of all three or post deployment using ARD, DeployStudio or Munki or again a combination of all three.
Generally managed policies are logically applied to the groups that are more receptive to those policies, eg: dock settings to OD User Groups and power settings to OD Computer Groups and so on.
I rarely do much or apply anything from or on the Mac Server itself. About the only thing I do is set up a RAiD (if it’s wanted); any redundancy (if it’s wanted); configure PM and OD; followed by NetBoot and/or DeployStudio and/or Munki.
Once the above is done I then sit down and have a discussion about back-ups.
Q2) - There’s a number of ways to do this. Simplest being using a Mac (laptop would be ideal) that has WGM installed that’s on the same subnet as the rest of the Macs. Sometimes this will involve moving from room to room as the subnets will invariably be different depending on which room you’re in. Because WGM is basically Bonjour aware and does not traverse subnets easily it makes sense to do it this way. Involves a bit of leg-work sometimes but that does not bother me as I fancy a walk every now and then. Another way is to poll the MAC addresses in the AD OU the Macs have been placed in. If you prepare the ground properly prior to deployment it’s relatively easy to set up a database that has the desired computer name mapped to its MAC address. Import the .csv file into WGM and that should be it. You can do the same thing with Passenger or DeployStudio.
Q3) - Order does not really matter unless you’re concentrating on applying all your managed policies at computer level. In which case I would add OD first as it tends to work better. Otherwise AD followed by OD always works for me. At one site I did see some strange behaviour in a virtualized environment where adding OD first was the only cure to inconsistent logins. Turned out it was poorly set-up in the first place which the managed solution contractor were reluctant to change because of the work and budget involved.
Q4) - I can’t think of anything definitive for any of this anywhere TBH. There are lots of useful resources out there. One of them being edugeek! Can’t do worse than Charles Edge on Krypted.com. AFP548 of course. Even Apple have something useful once in a while. You’ll have to dig for those though. Back when 10.4 was first released and AD Integration became a real possibility I did produce a manual of sorts (mostly command line) which I published and released to a select few. Setting up a Mac Server is fairly simple and involves three golden rules: DNS, DNS and DNS. Get that bit right and everything else will follow. In an AD environment that’s not necessarily under your control so you will have to get familiar with how Microsoft does things in terms of its DNS and DHCP offerings. It’s also important to be at least familiar with what a Windows Server is and how Active Directory works for anyone wishing to integrate Macs. As time has gone on I’ve found the more I know about the Windows network the easier and therefore more successful it becomes to integrate Macs. Finally getting the magic triangle (I prefer AD-OD integration) set up properly is mostly about how well the AD environment has been set up in the first place.
Antonio Rocco (ACN)
Thanks to AntonioRocco from:
scotyboy56 (7th February 2014)
By newbie2010 in forum Mac
Last Post: 23rd March 2012, 09:19 AM
Last Post: 31st December 2009, 02:57 PM
Last Post: 26th March 2009, 07:17 PM
Last Post: 3rd December 2008, 01:02 PM
Last Post: 11th January 2008, 08:02 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)