Mac Thread, Controlling MACs with AD GPO's in Technical; I am new to using MACs and know nothing and am keen for a bit of help!! I've got 10 ...
9th October 2008, 06:29 PM #1
- Rep Power
Controlling MACs with AD GPO's
I am new to using MACs and know nothing and am keen for a bit of help!! I've got 10 new MACs that I need to get networked and get them onto my Windows 2003 Domain. I've got my test MAC on the AD domain and now have a couple of quesitons - hope someone can help!
If I logon to the MAC with an AD user account and open Finder and go to the "Shared" tab, I see all of the shares that are available on the authorising domain controller, including my user accounts share (listed ith a $ at the end). How can I hide these shares?
I would like to map some drives and provide access to printers currently being delivered by my domain controllers, in the same way as my PCs work. How can I do this?
Is it possible to create a policy that restricts access to certain components on the MAC dependent on user logon permissions - again in the same way as PC work? Is this a MAC policy or would it be an AD policy
Many thanks again for helping the Newboy!!
11th October 2008, 07:46 PM #2
You need to use OpenDirectory along with ActiveDirectory. OpenDirectory is the Apple directory service, similar to ActiveDirectory.To use OpenDirectory you need a machine running Mac OS X Server. This includes a tool called WorkGroup Manager which allows you to create what are called MCX preferences, which are similar to GPOs on Windows Server.
The way it works is that your Mac clients are bound to both directory services - AD for user authentication and OD for setting machine/user preferences and restrictions.
However, MCX preferences are nowhere near as powerful, reliable, flexible or comprehensive as GPOs on Windows. For example I haven't been able to find any way of disabling the shared resources and computers in Finder that you specifically mention. Printers can be setup using MCX prefs. You don't have drive mappings as such on a Mac, but you do have MountPoints which allow you to map network shares, such as your users' home directories to 'local' folders.
A good starting point for more info is the document referenced here: AFP548 - AD-OD Sandbox. This explains how to setup a Basic AD/OD infrastructure that will get you started - but you will need to purchase a copy of Mac OS X Server with enough licenses to support all your clients.
You'll also need plenty time and patience if you're not used to Mac OS X and a good deal of luck. We've spent weeks over the summer trying to get this setup right and whilst it basically is working, we still have hassles with preferences intermittently not appliyng to particular users/workstations and other issues that we don't have to think twice about on Windows - good luck!
12th October 2008, 09:15 PM #3
Originally Posted by brahma
The other response you have had is a pretty good summary of all that you will need to do to get this working the way you seem to require. The MCX settings on OS X Server are actually pretty cool once you understand how and why things apply the way they do (and often don't), but you will most certainly need an OS X Server on your network to get things the way they should be.
At the moment you are simply binding your Apple machines to your AD server and using that to enable authentication against that server for students and staff using the Macs. That's fair enough really- I know some schools that pretty much leave it at that and are happy with the situation. To have your Apple systems "locked down" though you will need to join them to an Open Directory Master server and define preferences to individuals, groups, and computers (and computer groups) much the same way you would with OUs and groups (and users) in AD.
The reason you see all your Windows shares when you log on to a Mac with a Windows account is that by default OS X is set up to hunt out those kinds of things and place them in the "Shared" section of your Finder. Makes things great for standalone machines that need to find the wider networked world, but not so good if you are trying to lock your environment down any. With an OS X Server in place you can take out this view from the finder for all users who log on to your systems. It is indeed quite possible to do this. You can also define the "Devices" view and what your users see on their desktops.
As the other post stated, you can also have "mapped drives" (called "mount points" in OS X Server) allocated to users dependent on computer group or user group etc., and these act exactly the same as mapped drives in a Windows environment do.
Printers: I use our Windows print server as my basis for printers in OS X Server, and even though there are some issues if you don't have a kerberised print service (i.e. it will prompt the users for their username and password the first time they use the printer and never again if they choose to store that information in their keychain) it works.
I'm not sure what you mean by "restrict access to certain components", but to give you an idea of what you can restrict simply take a look at Workgroup Manager for OS X Server if you are running Leopard on your local machine and see what it can do (Leopard runs a local Open Directory database so you can use WGM to also manage local machine preferences for users and groups).
Integrating an OS X Server into a Windows environment is a tricky thing- I will be honest with you. You will be required to learn new ways of doing things and there will be times when you get frustrated at what seems to be a lack of information and/or features inside of an Apple server OS. With patience though your Macs can become a good citizen on your network and you will learn a bunch of new skills in return.
There are nay-sayers even on this forum- and some of them have had a horrible time trying to get OS X Server to work how they need it to. But there are equally as many who will tell you that it works and does so well. I am one of the latter.
If you need any further help I am willing to chip in, and I'm sure others would too.
Best of luck mate!
15th October 2008, 02:34 PM #4
- Rep Power
Thanks for your replies guys - really concise!! I haven't any money to spend on new hardware / software this year so will probably have to just bind to AD for now.
Could you give me a bit of insight into "Mac OS X Server" - is that just the OS (ala Windows 2003 Server) or is it the hardware too?
Sorry - got a lot to learn with these ......!!!
15th October 2008, 03:45 PM #5
- Rep Power
Just found out that we've got an "Apple Mac Server" thing!!!! Yeah ok - really showing how clever I am now!! How can I find out if it meets the need? What do I do with it!!! IS there any documentation available anywhere that I can learn from?
15th October 2008, 06:17 PM #6
- Rep Power
Another question along the same track - sorry. My 10 IMacs are all Mac OS X Version 10.5.4 and I am going to roll them out attached to AD. I have my "test" machine on AD and I can access my home drive. I'm not sure when I'm gonna get my OSX Server up and running so am thinking of other ways I can restrict student access to some of the applications (i.e. remove them from their view). Can I use the "System Preferences" -- "Parental Controls" to do this with a network account or does it only work with local accounts?
Also, I have heard about the "Create Mobile Account at Login" option (I think its kinda like using a local profile?) Is that available under my version of the Mac OS? And if so, should I be using it?
15th October 2008, 06:45 PM #7
First off, i would suggest reading the AD-OD sandbox document. This should answer most of your question relating to how the OS X server integrates with the AD network. You really need to get the OD server up and running before anything else really. This will give you the ability to restrict what the mac clients can see on the network. This should hide all the servers if you wish it to.
The other way you could do the user accounts is to create a limited account and manage it through the parental controls. Apparently there is a bug with the Parental controls section though that makes things not work right. I don't know any more than that. What you could do is create a limited account and then configure it to your liking. Then when all of that is done log out and then log inas an admin and copy it into the user template folder.
What happens then in this case is if your clients are bound to the AD, the users would log in and have their home dirs created from the template user and all of the settings you made would be there.
Heres a link to a guide i used:
Making a default template for os x
You can also lock certain files in the template so they can't be overwritten. I used this guide to lock the desktop picture plist file so they couldn't change it.
Locking plist files
Its under the "customising the User template section".
Mobile accounts synchronise their stuff backwards and forwards to and from the server. I don't think it complains much about not finding the server though. It is essential to use a mobile account when running Parallels though as it doesn't like being run across the network.
Hope this helps a little.
20th October 2008, 04:22 PM #8
- Rep Power
Thanks again for all these tips guys.
I've had a look at the website you sent me, HodgeHi, and followed the instructions. Slight issue tho' - I cant update the user template even when I'm logged in as an Administrator. I get the message 'The folder "User Template" could not be opened because you do not have sufficient access prvileges.' Any ideas?
20th October 2008, 04:40 PM #9
Cheers, been looking for stuff like this.
I while ago I asked the Samba guys about GP. They said it would have to be reg keys, they've yet to build a tool into it to easy build "GPs"
If I could only get work to put the Macs on the network, I might be able to get one
20th October 2008, 05:29 PM #10
- Rep Power
What about Centrify? Anyone tried that?
20th October 2008, 07:39 PM #11
The Template is protected by root access. You will need to sudo to do the business. You can also get a small app that will do just this. The app can be found here:
Originally Posted by brahma
Downloads | Apple-Scripts.com
Its called believe it or not, Template and its the last on the list. Should make things a bit easier if you are not (like me) down with Terminal.
By Oops_my_bad in forum Windows Vista
Last Post: 9th October 2008, 10:42 AM
Last Post: 10th April 2008, 03:12 PM
By webman in forum Scripts
Last Post: 28th March 2006, 10:47 PM
By cinewlyn in forum Windows
Last Post: 14th December 2005, 11:33 AM
By neilenormal in forum Educational Software
Last Post: 14th November 2005, 12:58 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)