+ Post New Thread
Results 1 to 10 of 10
Mac Thread, Locking down OSX clients in AD domain in Technical; We've had 20 eMacs for a couple of years and recently got Remote Desktop and OS X Server. I can ...
  1. #1
    u8dmtm's Avatar
    Join Date
    Feb 2006
    Posts
    231
    Thank Post
    7
    Thanked 13 Times in 12 Posts
    Rep Power
    20

    Locking down OSX clients in AD domain

    We've had 20 eMacs for a couple of years and recently got Remote Desktop and OS X Server.

    I can bind the Macs to the AD so that domain users can log in with their usual username and password and get their windows home-directory.

    Previously, when the eMacs where standalone, I locked them down nicely locally.

    However now, all AD users get a generic apple desktop.

    How can I lock-down the desktop, software etc. and make it apply to sets of AD users for all of our Macs?

  2. #2

    Join Date
    Oct 2005
    Location
    hey hey hey, stay outta my shed. STAY OUT OF MY SHED.
    Posts
    1,039
    Thank Post
    238
    Thanked 199 Times in 153 Posts
    Rep Power
    108

    Re: Locking down OSX clients in AD domain

    Define "Lock Down"

    There's a method for distributing a standard OS and APP install for OS X on my website (http://rhymeswithgeek.com) and also a method of creating an account 'template' that gets applied to users the first time they login to populate the dock, etc, in the way you desire.

    At the end of the day though, If you want proper network orientated control of the desktops on all your macs, give different groups of users different options based on group membership, etc, you'll need to buy a Mac server and use the tools available in that to integrate into AD and to use the results of that to determine available resources on the Macs.

    I wouldn't say it was a difficult task as such, but it requires some investment in buying a Mac Server (Maybe not server class hardware but obviously the server OS at least), and some commitment to learning how to do it all. You need to think about the effort it's going to require and decide if you really need all the options that badly.

  3. #3
    u8dmtm's Avatar
    Join Date
    Feb 2006
    Posts
    231
    Thank Post
    7
    Thanked 13 Times in 12 Posts
    Rep Power
    20

    Re: Locking down OSX clients in AD domain

    We have OS X Server running on an XServe as of today, but this is the point at which I'm not making progress. My problem seems to revolve around the fact that when using Workgroup Manager in OS X Server, I cannot make any changes to preferences for Mac computers or any users - such as defining proxies etc. I cannot even make a new Computer List.

    The error is usually with a code like 14140, eDSNoStdMappingAvailable.

  4. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,462
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113

    Re: Locking down OSX clients in AD domain

    Are you selecting the correct directory? With AD and OD, I must choose the OD and authenticate.

    You will get Errors like that if you try to work with prefs when the AD is selected (as it doesn't have the correct schema)

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,462
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113

    Re: Locking down OSX clients in AD domain

    When clicking on the little globe in WGM mine lists "ldapv3/127.0.0.1"

  6. #6

    Join Date
    Oct 2005
    Location
    hey hey hey, stay outta my shed. STAY OUT OF MY SHED.
    Posts
    1,039
    Thank Post
    238
    Thanked 199 Times in 153 Posts
    Rep Power
    108

    Re: Locking down OSX clients in AD domain

    You're trying to manipulate Active Directory to do this I presume?

    You need to create an Open Directory Master on the Mac server, and use Open Directory to manage computer preferences.

    For user preferences, you'll need to create groups in OD to contain the AD groups... which is a problem because (as you can see from some of the other threads here) OD to AD integration isn't all that it could be.

  7. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,462
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113

    Re: Locking down OSX clients in AD domain

    Quote Originally Posted by Roberto
    You're trying to manipulate Active Directory to do this I presume?

    You need to create an Open Directory Master on the Mac server, and use Open Directory to manage computer preferences.

    For user preferences, you'll need to create groups in OD to contain the AD groups... which is a problem because (as you can see from some of the other threads here) OD to AD integration isn't all that it could be.
    Some issues can be reduced by increasing the max search results returned by AD, its set as 1000 by default. I think I boosted mine to 1500 - that way all users are returned correctly and no longer truncated.

  8. #8
    u8dmtm's Avatar
    Join Date
    Feb 2006
    Posts
    231
    Thank Post
    7
    Thanked 13 Times in 12 Posts
    Rep Power
    20

    Re: Locking down OSX clients in AD domain

    I've now re-rolled the Mac server as Open Directory Master but kept the Kerberos Realm the same as my windows domain.

    Can someone point me in the right direction for allowing users from the Windows AD to log in to a Mac based.

  9. #9
    u8dmtm's Avatar
    Join Date
    Feb 2006
    Posts
    231
    Thank Post
    7
    Thanked 13 Times in 12 Posts
    Rep Power
    20

    Re: Locking down OSX clients in AD domain

    UPDATE: The following document is helping:

    http://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf

  10. #10
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 81 Times in 61 Posts
    Rep Power
    33

    Re: Locking down OSX clients in AD domain

    I my place we are using a mac server. We connect the OSX station to LDAP to mac osx server and active directory aswell. You can only really do preference changes to computers not accounts or groups.

    Ross

SHARE:
+ Post New Thread

Similar Threads

  1. Locking down student laptop
    By richard.thomas in forum How do you do....it?
    Replies: 17
    Last Post: 1st December 2007, 08:54 AM
  2. Locking Down PDAs
    By BKGarry in forum Wireless Networks
    Replies: 1
    Last Post: 2nd October 2007, 11:59 AM
  3. Replies: 3
    Last Post: 10th April 2007, 08:40 AM
  4. Locking down Windows
    By Blind in forum Windows
    Replies: 11
    Last Post: 29th March 2007, 09:24 PM
  5. Locking Powerpoint
    By andy in forum Windows
    Replies: 9
    Last Post: 26th September 2006, 08:51 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •