Mac WGM settings not taking/Windows GPO's overriding

[Rydra]

I'm hoping someone here has some idea of what I'm about to waffle on about.

Have just integrated a mac suite into the windows domain.
Details as best I can remember:
-Mac Server: Lion 10.7.3 (Mac Mini), running in magic triangle setup (OD master, kerberos disabled, AD authentication, DNS running)
-Windows: Server 2k3 and 2k8r2, both running at 2k3 domain functional (and forest) level, with the relevant AD upgrade file applied (I forget what it's called, but it's a thingy file that upgrades AD schema to accept Win7/2k8 boxes on a 2k3 domain).
-GPO's applied to OU's containing all users, seperate policy for students/teachers, along with a default domain policy.
-MacbookPro's with lion 10.7.3
Followed standard guides for setting up magic triangle, used Deploystudio to create netboot and netinstall clients, then hopped the clients on and set the names accordingly.

The problem:
WGM settings are not taking effect correctly
-User WGM settings are only applied to users with no AD GPO's in effect, or users with domain admin access.
-Machine WGM settings are only applied to machines if user has admin access (local or domain)

I moved the machines to a dedicated OU and blocked policy inheritance, didn't have any affect on settings.
I created a new user and only made it a member of Domain Users group, and put that user into folder with blocked policy inheritance. This user correctly applied WGM user settings.
I tried adding users with Augmented records into OD, no effect.

Now it looks to me like AD is forcing the GPO's and ignoring all WGM settings, but I can't for the life of me work out how to get round this.

It's not GPO settings overriding specific options, it's ignoring ALL WGM settings if a GPO is in effect for a non-admin user, but does seem to apply for users with admin priviledges.


Anyone know what I've done wrong? What am I missing? I'd rather not create all my users with no GPO's applied! And I don't want to have different logins just for the macs.

Any help much appreciated.

[pooley]

WGM will only affect the users when they are logged into the Mac side and AD should only affect users when they are logged into windows. I've not come across a setup where AD affects MAc and OD (Mac AD) affects Windows.

[ste1988]

I may be wrong, but gpo's shouldnt have any effect on the mac side of things, here are windows side is heavily locked down, but our macs only take settings from WGM.

What i would say is to refrest the mcx records that are held on the machines. Just so you know the machines, have the very latest settings applied and that all those changes are hanging around causing issues.

You can do this here Managed Client: How to flush cached settings

This worked for me when my settings werent being applied

[Rydra]

The windows GPO's aren't applying to the mac's, but it seems any user in the main AD structure are not taking the settings. Only ones that have no policies applied (aka blocked inheritance) and domain admins are getting the changes.

I can login as a user without policies and get the settings, log out, then login as a user that's never logged in before with a GPO applied, and the WGM settings are not taking. I can even make settings changed on WGM and see them apply on a logout/login on the non-inherited user, but the others all ignore it.

[pooley]

The only thing I can think of is maybe its the way you have linked the macs to OD and AD, When you connect the macs to both directory services, under Directory domains Make sure that LDAP is below Active Directory

[Rydra]

The only thing I can think of is maybe its the way you have linked the macs to OD and AD, When you connect the macs to both directory services, under Directory domains Make sure that LDAP is below Active Directory

checked that, AD is first.

I don't have any reverse DNS setup, could that cause issues? I never found anywhere that suggested how to set that up. for triangle setup.

I had it suggested it might be to do with Default Domain Controller Policy settings
Computer > Windows Settings > Security Settings > Local Policies > Security Options >> Microsoft Network Server: Digitally Sing communications (Always + if client agrees).

That made no difference.

[pooley]

OK lets rethink this, under the managed preferences, you have setup "Groups" that are to be managed, staff, admin, kids etc?

Have you made sure that you have selected to "always" manage a preference as apposed to only managing it once?

[Rydra]

OK lets rethink this, under the managed preferences, you have setup "Groups" that are to be managed, staff, admin, kids etc?

Have you made sure that you have selected to "always" manage a preference as apposed to only managing it once?

yes.

Created group for users and for computers.

Minimal settings applied (pre-set proxy for staff, different one for student under user settings, under machine settings add office programs to dock bar).

[martin_hannah]

I may be wrong, but gpo's shouldnt have any effect on the mac side of things, here are windows side is heavily locked down, but our macs only take settings from WGM.

What i would say is to refrest the mcx records that are held on the machines. Just so you know the machines, have the very latest settings applied and that all those changes are hanging around causing issues.

You can do this here Managed Client: How to flush cached settings

This worked for me when my settings werent being applied

I've got this one mac that's refusing to refresh - It's picking up half of the policies, I tried flushing the cash as you suggested but it's still only picking up some of the policies.. I've also tried renaming, rebinding, readding to the group in WGM. Still same deal.. It's small things like all users are still get the default dock alongside their managed dock.. and local admin can't refresh preferences when logging in.. All other macs in the group are fine it's just this one! Any other tricks I can try?

Cheers,

Martin

[ste1988]

In WGM you have your groups, and they are linked to ad, so you staff group contains your staff ad group?

I apply my preferences, mostly to the user groups, and not by machines. Which way are you doing it?

@martin_hannah

Have you tried deleting the locally stored preferences, its in Library > Preferences if you know which one it is just delete that one, if not remove them all.

Theres a thread on here that goes it to a bit more detail. ill try and find it for you

[Rydra]

In WGM you have your groups, and they are linked to ad, so you staff group contains your staff ad group?

I apply my preferences, mostly to the user groups, and not by machines. Which way are you doing it?

@martin_hannah

Have you tried deleting the locally stored preferences, its in Library > Preferences if you know which one it is just delete that one, if not remove them all.

Theres a thread on here that goes it to a bit more detail. ill try and find it for you

I've tried it with AD groups in the WGM groups, and individual AD users. Didn't make any difference.

I have a machines group, with machine settings just to tell it to add Word + Powerpoint to the dock, and at the moment I've got proxy settings being pushed out for the user based settings. Neither take affect unless it's admin/non policy user.

[JR-PCS]

Based on a your original post there are a few things that you don't seem to have setup correctly.

You don't want DNS running on the mac mini server if your have other DNS servers in the school. Just point your mac mini at the windows (or other OS) DNS servers.

On the other DNS servers you will need to add a forward and reverse DNS entry for your mac mini server. (important to do both directions)

Not essential, but it is a good idea to have Kerberos running as it would have automatically configured itself if you had your DNS correct before you created your OD Master.

If this was me presented with this kind of problem (and I have had to support many school that have tried to setup there own macs and got stuck where you are right now) I would export the settings I need from WGM, demote the OD Master to standalone, fix the DNS issues as mentioned above and then restart the server. Then premote to OD Master after the restart and import setting again in workgroup manager. If you get stuck get an expert (like me) in to sort it out for you as it will save you a lot of time and money and you can learn from the expert quite a bit during there time fixing it.

[chill3r]

Click the apple logo on one of the machines - click on about this Mac then click on more info >> scroll down to managed preferences and take a look at what you have here if anything.

Also what binding setting have you got set under the Directory Utility ? could you screen shot it for me please.

[HodgeHi]

Does kerberos start now on Lion Server when in a magic triangle configuration? It usually says stopped on the OD master as the services are kerberised by the AD.

[Rydra]

ARGH!

I have been working on this problem for DAYS.

I went to test something just now, and the user settings are taking. (Machine ones are still only working for admins, but I can work around that by applying the settings for the users instead)

I am not kidding when I say I had tried everything before, changed every setting there was, rebooted more times than I can count, and NOTHING worked, and now it's all working quite smoothly.

Thanks and rep going to all who helped me here, I'm going to go away now...