Hi - could someone please confirm my understanding of something ?
I've set up a working "magic triangle" AD/OD/client setup that seems to be working.
According to something I read though, if I try logging in with an AD user account that doesn't exist within any of my OD groups, that login should be rejected...
"3. Log out, then log back in as another AD user that is not in any of the groups in your access list. You will be denied login because that user is not a member of the group that you created."
Trouble is, that doesn't seem to be the case...I can log in with any AD account regardless of whether its in my OD group. It seems to still be subject to managed preferences, but I'm worried I may be missing something ?
". . . If I try logging in with an AD user account that doesn't exist within any of my OD groups, that login should be rejected . . ."
Not true. A Mac Server (this is implied because you've mentioned an OD Group) is not directly involved in any authentication at all. Identification, Authentication and Authorisation is solely between your DC and the Mac Workstation - the hardware itself. If you require Technologies and/or Services that are only available on OS X Server then most - not all - can be Principles of the AD's Kerberos Realm and participate in Single Sign On. This still won't mean you can't log in. The only time the above statement could be true is if you applied a local (or LDAP) MCX that determines which Users or Groups are allowed to login on that/those workstation(s). If it's a local MCX this would be done using the Accounts Preferences Pane > Login Options. If applied using LDAP this would be done using a Computer MCX. This kind of lockdown can only applied at hardware level.
To apply Managed Preferences (MCX - or if you like, mac-style GPOs) you'd either nest AD Users or Groups within an OD Group or create a Computer Group (Apple call this a List) and add Mac Workstations which have been joined to Open Directory. Regardless of whether those workstations have been bound to Active Directory or not, all users (including local ones) who attempt a login on those workstations will have those MCX applied.
Antonio Rocco (ACSA)