+ Post New Thread
Results 1 to 3 of 3
Mac Thread, AD/OD query in Technical; Hi - could someone please confirm my understanding of something ? I've set up a working "magic triangle" AD/OD/client setup ...
  1. #1

    Join Date
    Jul 2011
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    AD/OD query

    Hi - could someone please confirm my understanding of something ?
    I've set up a working "magic triangle" AD/OD/client setup that seems to be working.
    According to something I read though, if I try logging in with an AD user account that doesn't exist within any of my OD groups, that login should be rejected...
    "3. Log out, then log back in as another AD user that is not in any of the groups in your access list. You will be denied login because that user is not a member of the group that you created."

    Trouble is, that doesn't seem to be the case...I can log in with any AD account regardless of whether its in my OD group. It seems to still be subject to managed preferences, but I'm worried I may be missing something ?

    TIA
    Mike

  2. #2
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    268
    Thank Post
    10
    Thanked 113 Times in 95 Posts
    Rep Power
    41
    Hi

    ". . . If I try logging in with an AD user account that doesn't exist within any of my OD groups, that login should be rejected . . ."

    Not true. A Mac Server (this is implied because you've mentioned an OD Group) is not directly involved in any authentication at all. Identification, Authentication and Authorisation is solely between your DC and the Mac Workstation - the hardware itself. If you require Technologies and/or Services that are only available on OS X Server then most - not all - can be Principles of the AD's Kerberos Realm and participate in Single Sign On. This still won't mean you can't log in. The only time the above statement could be true is if you applied a local (or LDAP) MCX that determines which Users or Groups are allowed to login on that/those workstation(s). If it's a local MCX this would be done using the Accounts Preferences Pane > Login Options. If applied using LDAP this would be done using a Computer MCX. This kind of lockdown can only applied at hardware level.

    To apply Managed Preferences (MCX - or if you like, mac-style GPOs) you'd either nest AD Users or Groups within an OD Group or create a Computer Group (Apple call this a List) and add Mac Workstations which have been joined to Open Directory. Regardless of whether those workstations have been bound to Active Directory or not, all users (including local ones) who attempt a login on those workstations will have those MCX applied.

    HTH?

    Antonio Rocco (ACSA)

  3. #3

    Join Date
    Jul 2011
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    It does, thanks
    Mike

SHARE:
+ Post New Thread

Similar Threads

  1. AD-OD binding issues
    By jasonthat in forum Mac
    Replies: 6
    Last Post: 5th July 2009, 11:19 PM
  2. New AD - OD PDF
    By HodgeHi in forum Mac
    Replies: 0
    Last Post: 2nd March 2009, 12:13 PM
  3. AD-OD Client Management
    By EricGus in forum Mac
    Replies: 2
    Last Post: 2nd January 2009, 10:44 PM
  4. Replies: 1
    Last Post: 28th August 2008, 03:13 PM
  5. Replies: 1
    Last Post: 14th August 2008, 06:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •