AD-OD Workgroup Manager
We have a successful implementation of the magic triangle within our district.... Sort of.
We ARE able to manage AD user accounts when they are imported into a group in workgroup manager, however we ARE NOT able to manage AD groups when they are imported into a new group in workgroup manager. Has anyone else encountered this? Everything else works great, users can login with AD credentials, there network home automatically mounts, but we are not able to manage them based on there AD Group. If I add a specific user account to that group, login as them, the management settings apply fine. With the size of our district it is not realistic for us to add each user account into specific groups.
Any help would be much appreciated, and if I did not provide enough information let me know and I can get that out quickly.
You have to create an OD group and then add the AD group to that.
Edit: Also certain group names are reserved and may already be in use on the Mac, make sure it's not got a really common name.
I have done that and the Names of groups are not common. They're: schoolname_students
Originally Posted by DMcCoy
"Has anyone else encountered this?"
Yes and No. Assuming your AD structure is fairly flat then you could query it from a bound mac workstation using the command line utility dscl. See if the groups can be correctly accessed. For usage launch Terminal and issue man dscl. It's fairly obvious thereafter.
Do these groups appear in WorkGroup Manager? Can you see individual user membership of those groups within WorkGroup Manager? To view Active Directory LDAP records using WorkGroup Manager enable the Inspector Option. Launch WorkGroup Manager, click on the WorkGroup Manager Menu, select Preferences, enable the option to "show all records tab and inspector". You can safely dismiss the warning dialog box that follows. Don't worry about deleting or modifying the AD Schema using this method. Remember you only have read only access to a bound LDAP schema.
What you should see now is the addition of an extra icon (looks a bit like a bullseye) as well as an extra tab labelled Inspector. Select this and you should be able to authenticate to the /Active Directory/All Domains node by providing an AD admin account that has authority for the AD Domain. Select a Group you're interested in and inspect its Group membership. Does it tally with what you see in AD?
What about adding the General Domain Users Group OU instead? Would not this OU be populated with all users automatically anyway?
Antonio Rocco (ACSA)