+ Post New Thread
Results 1 to 11 of 11
Mac Thread, Log users on without password AD Bind successful in Technical; Hi there, I have a primary school that has a single Mac machine running OSX 10.4. My Apple skills are ...
  1. #1

    Join Date
    Jul 2009
    Posts
    4
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Log users on without password AD Bind successful

    Hi there,

    I have a primary school that has a single Mac machine running OSX 10.4.
    My Apple skills are pretty limited but I have managed to bind it to Active Directory.
    It can retrieve the users from AD and accounts can log in easy enough if they are password protected.
    However none of the kids have passwords here and the head wishes it to remain that way. (Most are infants)

    Basically I can't get the kids to log on, if I give them a password it works fine otherwise it refuses.
    I feel I am missing something fairly simple and would be grateful for some help.

    Regards

    Graham

  2. #2
    kernewek-sam's Avatar
    Join Date
    Sep 2010
    Location
    UK
    Posts
    264
    Thank Post
    66
    Thanked 50 Times in 46 Posts
    Rep Power
    68
    Perhaps someone with far better knowledge of Macs can suggest something better, but how about simple 1 character password that's the same for everyone? Or if they aren't saving to windows based storage, unbind the mac and create a generic account with no password (or set the account to auto-login in preferences) that they can all use and create a separate folder for each pupil on the desktop to save their work in.

    Perhaps there is a simpler option and hopefully someone more skilled will be able to say what it is.

    Sam

  3. #3
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    268
    Thank Post
    10
    Thanked 113 Times in 95 Posts
    Rep Power
    41
    Hi

    It's not recommended but I think you can configure AD's Password Policy to not require a Password. Have a closer look at the Server's Security Policies. One way or another an answer should be there?

    HTH?

    Antonio Rocco (ACSA)

  4. Thanks to AntonioRocco from:

    kernewek-sam (7th February 2012)

  5. #4
    kernewek-sam's Avatar
    Join Date
    Sep 2010
    Location
    UK
    Posts
    264
    Thank Post
    66
    Thanked 50 Times in 46 Posts
    Rep Power
    68
    Quote Originally Posted by AntonioRocco View Post
    Hi

    It's not recommended but I think you can configure AD's Password Policy to not require a Password. Have a closer look at the Server's Security Policies. One way or another an answer should be there?

    HTH?

    Antonio Rocco (ACSA)
    Change Active Directory Strong Password Policies « Everything SharePoint/Silverlight/WP7

  6. #5

    Join Date
    Jul 2009
    Posts
    4
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I didn't say earlier, the school are using Win 2008 R2 with XP clients and kids log on with no passwords.

    Pretty sure I've set all the password policies to disabled or zero as required, however I'll have a closer look at the Default Domain Policy and double check the security settings in case I've missed something.
    I'm due on site on Thursday and I'll report back.

    Thanks so far.

  7. #6

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Quote Originally Posted by scheduledtask View Post
    I feel I am missing something fairly simple and would be grateful for some help.
    Simple huh? I think this from LDAP RFC4513 and possibly others might have something to do with it:

    Unauthenticated Bind operations can have significant security issues
    (see Section 6.3.1). In particular, users intending to perform
    Name/Password Authentication may inadvertently provide an empty
    password and thus cause poorly implemented clients to request
    Unauthenticated access. Clients SHOULD be implemented to require
    user selection of the Unauthenticated Authentication Mechanism by
    means other than user input of an empty password. Clients SHOULD
    disallow an empty password input to a Name/Password Authentication
    user interface. Additionally, Servers SHOULD by default fail
    Unauthenticated Bind requests with a resultCode of
    unwillingToPerform.


    Empty passwords are obviously significant for this protocol. "Can of worms" springs to mind.

  8. #7

    Join Date
    Nov 2011
    Posts
    22
    Thank Post
    0
    Thanked 9 Times in 6 Posts
    Rep Power
    7
    For a younger student it would be better to setup a local user with a simple finder... This will make a user they click to login and only show a list of apps for them to use. This is what I setup in the k-4 areas of my school.

  9. #8


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,650
    Thank Post
    275
    Thanked 780 Times in 607 Posts
    Rep Power
    224
    You can specify different password policies in AD from 2008 onwards (assumes you're on 2008 native domain and forest).

    Read this as a starting point: Windows Server 2008 - Fine Grained Password Policy Walkthrough - The Sean Blog - Site Home - TechNet Blogs

    That'll prevent adults choosing simple passwords, but let the kids have a default one.

  10. #9

    Join Date
    Jul 2009
    Posts
    4
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by PiqueABoo View Post
    Simple huh? I think this from LDAP RFC4513 and possibly others might have something to do with it:
    Duly noted.

    I think the idea from Serving (it would be better to setup a local user with a simple finder...) will be worth looking into.

  11. #10

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    In your shoes I'd try that alternative too - don't have the energy to verify this, but it definitely looks like blanks passwords just don't mix with LDAP.

  12. #11

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,191
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    Quote Originally Posted by Serving View Post
    For a younger student it would be better to setup a local user with a simple finder... This will make a user they click to login and only show a list of apps for them to use. This is what I setup in the k-4 areas of my school.
    Personally I find using the Simple Finder with parental controls enabled a pain in the ass. When you open an application that has been restricted, DON'T choose the always allow option. It doesn't place the application in the list of allowed applications in the Parental Controls. I have looked for about 2 hours and still cannot find where OS X places the setting. I accidentally chose this option for the System Preferences application and now they can open it whenever they want. And it places a shortcut inside the allowed applications window for ease of access.

    From my searching the only known way of reverting this is to delete the user and re-create the Parental Controls.

SHARE:
+ Post New Thread

Similar Threads

  1. Prevent showing last user logged in on 7
    By ranj in forum Windows 7
    Replies: 2
    Last Post: 18th August 2010, 01:46 PM
  2. Log users logging on to a laptop?
    By ICT_GUY in forum Windows Vista
    Replies: 1
    Last Post: 20th November 2009, 10:12 AM
  3. Force user to change password on login
    By keogk in forum Virtual Learning Platforms
    Replies: 3
    Last Post: 4th September 2009, 05:07 PM
  4. Replies: 3
    Last Post: 18th March 2009, 11:54 AM
  5. Creating mailboxes in exchange 2007 when a user is created in AD on another server
    By thesk8rjesus in forum Network and Classroom Management
    Replies: 2
    Last Post: 5th September 2008, 02:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •