To expand on Santosh Bhandarkar's reply, Likewise Open is extremely easy to use. Depending on the client OS and how you approach it, it could take a bit of researching or as easy as clicking through a few items. This issue has persisted ever since Mac OS X Sierra was released. 10.12.2 does not fix the issue. While not an optimal strategy, disabling Kerberos Pre-authentication for each affected user in Active Directory can mitigate the issue. I have more than 50 Macs on the network and I think it's time to put some controls in place so I'm scouting for ways to integrate the Mac OS X clients into Active Directory. The primary objective is to enforce GPOs from the AD to the Mac OS X clients.
![Mail program for mac os x Mail program for mac os x](/uploads/1/3/3/2/133276767/121002723.png)
Active8 years, 2 months ago
I have more than 50 Macs on the network and I think it's time to put some controls in place so I'm scouting for ways to integrate the Mac OS X clients into Active Directory. The primary objective is to enforce GPOs from the AD to the Mac OS X clients. I'm thinking of the following solutions:
- Use Mac OS X Server's Directory Service with AD
- Use a third-party solution like Centrify's DirectControl or Thursby's ADmitMac
Which of the solutions do you think is the best way to go?
FrancisVFrancisV67411 gold badge1010 silver badges1717 bronze badges
3 Answers
It depends on whether or not you want to install 3rd party software on your AD controllers. If you go with Thursby or Centrify, you will have to do that to get GPO. This adds the necessary attributes to your AD schema to make it more OS X aware. I'm not sure if it'd include everything you'd want, so you'd have to ask the vendor. Life application study bible free download for android.
If you don't (a lot of people don't), you'll need an OS X Server and set up a golden triangle configuration. You'd make the OS X server an OD Master (standalone), join it to AD, then use MCX to apply 'GPO' to the computer object in AD. Then you'd join the computer itself to AD & OD. What it doesn't get from AD, it'd get from OD (if you configured it correctly). Things like password policy work with AD by default, with some minor caveats (reminders of expiration). Things like accessing System Preferences would be managed in OD. If you go the golden triangle route, you should consider getting two servers for master & replica. This doesn't require modifying or installing anything in AD that's not already there.
The only downside to the golden triangle setup is Lion is around the corner, and I'm really not sure if it'll continue to support this type of thing. I'm not sure how much longer you'll be able to buy Snow Leopard Server. Also, you can no longer get Apple's Xserve brand new. you're stuck with a Mac Pro or Mac Mini.
churndchurnd3,18233 gold badges2626 silver badges3636 bronze badges
In addition to the options @churnd listed, you can also extend your AD schema to directly support Mac-style managed preferences. Apple has white papers on how to extend the schema to support OS X v10.5 and OS X v10.6 (the differences aren't very important -- the 10.5 instructions include a bunch of object classes and attributes that nobody used and were removed/obsoleted in 10.6; the 10.6 instructions include a new computer attribute that you don't need either. tl;dr either set of instructions work for either OS X version). They also have a video showing the extension process.
I have no idea how well the resulting schema extensions will work with OS X 10.7 (Lion).
Free editing program for mac. Some notes and gotchas on the process:
- You need an OS X server set up so you can diff its schema against your AD domain.
- Run the schema extension on a test system first, and make sure it works right.
- In the 10.5 instructions, the settings for apple-computer-list at the top of page 7 are wrong (they list apple-computer-list-group twice), as is the following text (it lists apple-generateduid twice); you should follow the list at the bottom of page 7 instead.
- The UI in AD Schema Analyzer is very confusing. Each class has two boxes next to it: one to hide (minus sign) or show (plus sign) related attributes, and another to exclude (blank) or include (heavy plus) it in the export. Related attributes have one box, which can implicitly include (plus on gray background) or explicitly exclude (heavy X) it from the export. You have to click to select the classes to include, and then under each of those, click to exclude the attributes that you don't want.
- If you cut-and-paste any of the LDIF from the white paper (e.g. the auxiliaryClass and possSuperiors stuff) from the PDF, you may wind up with spaces at the beginning and end of each pasted line; these must be removed, or you'll get import errors. Also, make sure the LDIF file has DOS-style line endings (CR+LF), not Unix style (LF only).
- The white paper describes changing the objectClassCategory of some of the objectClasses to 3; depending on which version of the ADAM tools generated the LDIF, you may also need to set the rest of them to 1 (for some reason, it can export them with an objectClassCategory of 0, which is semi-invalid).
- The white paper doesn't detail how to index the macAddress and apple-hwuuid attributes, which is a good idea to speed computer record lookups.
Here's the LDIF file I came up with to do the extensions. These are based on a stock Windows Server 2008 R2 AD domain and OS X 10.6 server, with the 10.6 instructions from Apple and my own additions to index the macAddress and apple-hwuuid attributes. I think these same extensions will work with Windows 2003 R2 or later (note: they will not work with the Windows Server 2003 schema; you really need the 2003 R2 extensions), but they aren't very well tested with any version. Whether you use these or generate your own, test thoroughly before importing anything to your live domain controllers.
Gordon DavissonGordon Davisson![Mail program for mac os x Mail program for mac os x](/uploads/1/3/3/2/133276767/893774564.png)
9,48122 gold badges2222 silver badges3131 bronze badges
'Which of the solutions do you think is the best way to go?'
Xserve is end of life. Apple no longer offers a server class machine so Open Directory / Magic Triangle aren't really viable enterprise solutions. Judging by forum traffic, many organizations struggle with deploying and maintaining the various natives approaches, especially with updates and upgrades. OS X AppleCare support from Apple is also quite pricey.
Both Centrify and Thursby offer free trials. I'd try them both in your environment rather than take anyone's word for it.
- Watch dogs cd key generator download free. Centrify's business model is based on Windows AD server software, giving it the edge for UNIX/Linux integration along with the UNIX AD market leader Likewise. In Centrify's partner materials, the implication is that they don't want accounts with less than 2-300 machines. How to compile and run java program.
- Spotify app on iwatch. Thursby is a Mac specialist and requires no Windows AD server software (one of the other answer posters was mistaken in that). It also includes deployment tools and support for storage integration (DFS and CIFS) that are extras with Centrify (Absolute and ZIP respectively).
Again, best approach is to request trials and verify claims.
Shakespeare:GLENDOWER - I can call spirits from the vasty deep!
HOTSPUR - Why, so can I, or so can any man; But will they come when you do call for them? Student spotify free hulu.
MacEntMacEnt