When fully integrated, Mac OS X offers a complete managed environment where users can be fully controlled and required to abide by AD password policies. Depending on the level of management your organization requires, there are several options for managing Mac client preferences. Do nothing.
Apple’s plug-in automatically enables authentication to AD, including full support of password policies. It also allows you to set up network homes for Mac users on AD. Extend the AD schema to handle management. By adding 36 attributes and 10 classes to the AD schema, your AD system can support all Mac OS X management policies. Just use the normal Mac OS X management tools and target the AD domain. Use a dual directory
. Sometimes known as the “magic triangle,” this scenario adds Mac OS X Server to the solution. [...] [...]
Managed Client for Mac OS X (MCX)
Because Windows and Mac OS X handle preferences differently, a Mac is unable to use GPOs in AD. Instead, Apple has a system called MCX that accomplishes the same task.
MCX can be stored locally on Mac clients that have been integrated into AD, but this makes updates difficult because it involves each individual computer. It’s also possible to host the MCX objects in AD, which requires you to extend the schema.
Another solution is to configure a secondary LDAP directory using Mac OS X Server and Apple’s Open Directory. In this scenario, clients still use AD for user authentication, while Open Directory supplies managed preferences only.