+ Post New Thread
Results 1 to 13 of 13
Mac Thread, Integrating OSX into our Windows world in Technical; Ok so I'm pulling out my hair and over working myself trying to find a simple stable solution to my ...
  1. #1
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    16

    Integrating OSX into our Windows world

    Ok so I'm pulling out my hair and over working myself trying to find a simple stable solution to my problem. The district I work for recently received a shipment of fifteen Macbook Pro's, one iMac, and one Mac Pro for use in a Media Communications class the High School started offering this year. We do not have the funding for an OSX server this year, so that's out of the question. We will next year as the Junior High received a five hundred thousand dollar technology grant. For now though, I'm trying to find a simple way to lock down these Macs. They work fine with our 2003 AD environment when bound to it, but the fly is down on the clients so kids can see everything and change everything.

    I've already spent way too much time on this as is so I want something simple. I've been looking at Linux since it's a stable, free platform, but I'm in way over my head. I've tried a plain OpenLDAP server on Fedora 11, 389-directory services, and others. I'm not scared of the cli, but I'm not a Linux guy, and I haven't touched it for a couple years. I have other projects weighing me down as is so I really need something simple and quick.

    So long story short. I need to be able to use Workgroup Manager to apply restrictions to users that logon to these Macs. I'd prefer not to mess with our Windows servers as I don't want to screw things over for our 450+ Windows clients and the 900 plus users who use them.

    Thanks

  2. #2

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,781 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594
    As well as looking at the stickies at the top of the forum I would also have a look at the following blog post from Robert Moir ... a bit old but still pretty relevant to your case. Basics of integrating modern Macs onto a Windows network, FAQ: Creating a Default User Profile - Someone Else

    Basically lock all the machines down for *any* user and then authenticate against the AD by binding them to your domain. Additional feature can be done via login hooks (have a look at Home (MacEnterprise) for examples) but keep it simple for the next year.

  3. #3
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    16
    That unfortunately will not work as I need a specific permissions/preferences set for different groups i.e. students and the two staff that teach that course.

    The blog post you linked to I've tried before and found similar articles on internet of course with varying levels of detail. The issue with that is even if I force local homes, a good chunk of the configuration I did on that account does not carry over to a user that logs on with there AD credentials.

    I may just end up creating different local accounts and having the staff and students use that until we can get proper equipment to handle these machines.


    Thanks for the help, I appreciate it.

  4. #4

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    You could create a default template. What you would do is create a Local user (template) and then run all the apps and configure Finder and other items as how you would want them to look. Once this is done log out of the machine and log into the client as an admin user. Then you can run a command to copy the template user's Home dir into the default template of the machine itself. This is found at /System/Library/User Template/English.lproj/

    To make things a little easier at this point you could use the app Template. I used this myself and works well.

    But what i did for my users though is copied the template into their already created home dirs found on the OS X Server. I think though that the forced AD Local home picks up the systems default template.

    But if you have an iMac and it could be made available, then i would use that as your OS X Server to help manage the clients. It doesn't have to be an XServe and the Home dirs don't have to reside on an OS X AFP server as far as I'm aware.

  5. #5


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,580
    Thank Post
    228
    Thanked 854 Times in 733 Posts
    Rep Power
    295
    i got stuck on trying to get a logon script to run on the mac for any user and it diddnt seem to like \\server\users$\group\name user areas much and i really dont want to go back to using \\serer\username$ its a pain and makes copying users much harder

  6. #6

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    IIRC OS X doesn't like the dollar on the end of shares. If i added them on the end then the shares wouldn't work. However i can't recall if this was a problem with SMB on OS X server or just OS X in general accessing SMB shares.

    If the netlogon and sysvol shares use $ then its irrelevant any way since these can be seen in OS X. So this would answer the question of if it is just OS X server's SMB and also render hiding shares as pointless, at least from the point of OS X anyway.

  7. #7
    stevehp's Avatar
    Join Date
    Jul 2008
    Location
    Ohio
    Posts
    102
    Thank Post
    13
    Thanked 19 Times in 16 Posts
    Rep Power
    16
    Quote Originally Posted by HodgeHi View Post
    You could create a default template. What you would do is create a Local user (template) and then run all the apps and configure Finder and other items as how you would want them to look. Once this is done log out of the machine and log into the client as an admin user. Then you can run a command to copy the template user's Home dir into the default template of the machine itself. This is found at /System/Library/User Template/English.lproj/

    To make things a little easier at this point you could use the app Template. I used this myself and works well.

    But what i did for my users though is copied the template into their already created home dirs found on the OS X Server. I think though that the forced AD Local home picks up the systems default template.

    But if you have an iMac and it could be made available, then i would use that as your OS X Server to help manage the clients. It doesn't have to be an XServe and the Home dirs don't have to reside on an OS X AFP server as far as I'm aware.
    The iMac will be placed in the back of the classroom, so it's intended to be a student computer. The Mac Pro is intended for the teacher station, but I'm not releasing it yet since I'm using Deploystudio and other apps on it. According to my boss the Mac Pro was at one time spec'd with the server OS, but that was dropped since the cost was much too high. At the moment purchasing media and CAL's for 10.6 Server would not be financially possible. The grant the junior high recieved is going to be utilized supposedly to place Macs (not sure what model) at each teacher station in that building (we have four on a campus setting). I thought it was hearsay, but according to my boss it's not so I demanded an XServe be purchased with that money.

    Unfortunately I have already tried the default user template as mentioned before. It will not hold a large chunk of settings when using a AD network account with forced local homes (docs still reside on 2k3 file server). I will give the app you linked to on Apple-Scripts.com a try, but I'm not holding my breath.

    Thanks for the help. I'd like to get a linux server up for other things as well so I'm going to keep cracking at that, but I will ultimately just use local accounts on this small set of Mac's until proper equipment is in place.

    Again thanks to everyone who posted in this thread.

  8. #8
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29
    This Apple WhitePaper says:
    Managed Preferences
    When fully integrated, Mac OS X offers a complete managed environment where users can be fully controlled and required to abide by AD password policies. Depending on the level of management your organization requires, there are several options for managing Mac client preferences.

    Do nothing. Apple’s plug-in automatically enables authentication to AD, including full support of password policies. It also allows you to set up network homes for Mac users on AD.

    Extend the AD schema to handle management. By adding 36 attributes and 10 classes to the AD schema, your AD system can support all Mac OS X management policies. Just use the normal Mac OS X management tools and target the AD domain.

    Use a dual directory. Sometimes known as the “magic triangle,” this scenario adds Mac OS X Server to the solution. [...]

    [...]

    Managed Client for Mac OS X (MCX)
    Because Windows and Mac OS X handle preferences differently, a Mac is unable to use GPOs in AD. Instead, Apple has a system called MCX that accomplishes the same task.
    MCX can be stored locally on Mac clients that have been integrated into AD, but this makes updates difficult because it involves each individual computer. It’s also possible to host the MCX objects in AD, which requires you to extend the schema. Another solution is to configure a secondary LDAP directory using Mac OS X Server and Apple’s Open Directory. In this scenario, clients still use AD for user authentication, while Open Directory supplies managed preferences only.
    This would imply that it's possible to lock down clients via Active Directory without requiring an Mac server. However, it doesn't tell you how.

    If you figure it out let us know as I need to do this soon!

  9. #9

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Quote Originally Posted by eean View Post
    This Apple WhitePaper says:


    This would imply that it's possible to lock down clients via Active Directory without requiring an Mac server. However, it doesn't tell you how.

    If you figure it out let us know as I need to do this soon!
    I can help you with this one. Would I need a Mac Server?
    Last edited by HodgeHi; 3rd October 2009 at 09:38 AM.

  10. #10

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Quote Originally Posted by stevehp View Post
    The iMac will be placed in the back of the classroom, so it's intended to be a student computer. The Mac Pro is intended for the teacher station, but I'm not releasing it yet since I'm using Deploystudio and other apps on it. According to my boss the Mac Pro was at one time spec'd with the server OS, but that was dropped since the cost was much too high. At the moment purchasing media and CAL's for 10.6 Server would not be financially possible. The grant the junior high recieved is going to be utilized supposedly to place Macs (not sure what model) at each teacher station in that building (we have four on a campus setting). I thought it was hearsay, but according to my boss it's not so I demanded an XServe be purchased with that money.

    Unfortunately I have already tried the default user template as mentioned before. It will not hold a large chunk of settings when using a AD network account with forced local homes (docs still reside on 2k3 file server). I will give the app you linked to on Apple-Scripts.com a try, but I'm not holding my breath.

    Thanks for the help. I'd like to get a linux server up for other things as well so I'm going to keep cracking at that, but I will ultimately just use local accounts on this small set of Mac's until proper equipment is in place.

    Again thanks to everyone who posted in this thread.
    I don't think os x utiise CALs. You just purchase either a 10 client or an unlimited client server license. Over here the unlimited license for 10.6 costs roughly around £250-£300.

    This would also allow you to take advantage of using Deploy Studio along with netinstall and deploy the images across the network. This works very well since you can also rename and bind the machines to the ad as part of the imaging process as well as deploy additional packages along the way.
    Last edited by HodgeHi; 3rd October 2009 at 09:41 AM.

  11. Thanks to HodgeHi from:

    stevehp (6th October 2009)

  12. #11


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,580
    Thank Post
    228
    Thanked 854 Times in 733 Posts
    Rep Power
    295
    right i now have it kind of working.

    my test "mac" (actually a hp running hackintosh 10.5.6) is bound to ad. I have extended the schema to cope with apple prefs so i can assign scripts keep people out of system settings etc (very slow but work i suspect thats down to my hardware/software/using a straight cable to link server and mac) the policies are applying to my test user so it loads calc (easy test) at startup and on the dock bar i have my network shared folder. Is there any way to make that the default save location and for some reason while i can create files in my network area they dont appear visible on the mac but i can see them on my server. Any ideas as i appear to be 90% of the way to doing what i want

    scratch part of that after a logon/off files/folders are showing under my user area but id still like it to be default save area or at least listed in dropdowns
    Last edited by sted; 10th October 2009 at 12:21 PM.

  13. #12

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    it sounds like you have ad users logging in but have force local home dir. This means that each ad user will have a local home dir which will mean they will have to choose to save to the network location.

    The way i got round this was to use synching on log out and background synching if needed. But i only did this on the heads machine since he was the only one using parallels.

  14. #13

  15. Thanks to mac_shinobi from:

    eean (12th October 2009)

SHARE:
+ Post New Thread

Similar Threads

  1. Integrating macs on a windows network
    By lafleur1977 in forum Mac
    Replies: 2
    Last Post: 23rd September 2010, 07:53 PM
  2. Together at last - OSX and Windows
    By Geek_of_HeathMount in forum General Chat
    Replies: 5
    Last Post: 6th June 2009, 05:37 PM
  3. Replies: 6
    Last Post: 12th January 2009, 03:20 PM
  4. Integrating OS X and AD
    By localzuk in forum Mac
    Replies: 5
    Last Post: 15th January 2008, 01:33 PM
  5. integrating paypal on a website
    By beeswax in forum Web Development
    Replies: 8
    Last Post: 10th October 2006, 07:40 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •