Deleted Open Directory but WGM Policies are stuck

Similar Messages

• Trying to delete Active Directory but getting error's

  Hi There, 
  I am trying to delete an Active Directory that I have. I have removed all subscriptions from this Active Directory but now I get the message:
  Directory contains one or more applications that were added by a user or administrator.
  Under the Active Directory, I have no applications (it used to have applications and I have since removed them).
  I don't have any other subscriptions tied to this Active Directory. It could have been used for an Office 365 trial quite a few years ago.
  How can I remove this? Tried almost everything.
  Thanks

  Hello,
  A Global Administrator can delete an Azure AD directory from the Azure Management Portal. When a directory is deleted, all resources contained in the directory are also deleted; so you should be sure you don’t need the directory before you delete it.
  ERROR:  Directory has one or more applications
  If you get this error message you may have applications associated with the directory, in order to proceed with the deletion of the directory you must ensure these are removed.
  If you select the Applications pane within Azure Active Directory check the applications, and if they are not required then proceed with deleting them. If no applications are visible then you may find that you have ‘hidden’ applications that are not yet
  exposed via the UI.
  In order to delete this, you will need to use Azure Active Directory PowerShell module. You can download this (Manage Azure AD using Windows PowerShell)
  Once you have downloaded the required components and successfully installed them go ahead and launch a Powershell Console
  Connect -MsolService
  Enter your global admin credentials {example:
  [email protected]}
  It is important to note here that you wont be able to login using a Microsoft Account aka Live ID and so if this is the only identity you have. create a work account aka organizational account in the directory first to perform this action which you can
  delete once finished.
  Get -MsolServicePrincipal | Select DisplayName
  This will then show you what applications you have listed, some of which are require and won’t be able to be removed. if you don’t need any of the applications listed you can go ahead and remove them
  Get -MsolServicePrincipal | Remove-MsolServicePrincipal
  NOTE:
  You will find that some error (red text will be displayed) ignore that, those ones are service side service principals but they are white-listed and the deletion will work with them present.
  If this then fails, take a look at the PowerShell MSONLINE Log Files and if you still need further guidance, ensure to attach that to the support incident as it is super helpful to the support engineering teams when investigating the problem your having.
  These files can be found “C:\Users\%username%\AppData\Local\Microsoft\Office365\Powershell\”
  Regards,
  Neelesh.

• HT4528 i update to IOS 7, but my apps are stuck in the app store, how do i tranfer to my screen?

  hello
  i uudated to IOS7, my apps are stuck in the app store, how do i tranfer my apps to the screen

  Try this:
  Close all open apps by double-tapping the home button, then swiping up and off the screen with the app window (not the smaller icon).
  Reset your device: hold down the home button along with the sleep/wake button until the screen goes black and you see the Apple, then let go. (No data loss)

• When I run the Receiving interface i get an error that the period is not open.  But all periods are open from Jun 14 through April 15.

  I am running the following inserts and all periods are open but I still get this error in the po_interface_errors table.
  "Error: Please enter a GL Date within an open inventory accounting period.
  Cause:        You provided a GL date that is not within an open inventory accounting period. 
  Action:        Enter a date that is within an open period."
  Here are the inserts.
  INSERT INTO rcv_headers_interface
  (header_interface_id, GROUP_ID, processing_status_code,
  receipt_source_code, transaction_type, last_update_date,
  last_updated_by, last_update_login, creation_date, created_by,
  vendor_id,expected_receipt_date, validation_flag)
  SELECT rcv_headers_interface_s.NEXTVAL, rcv_interface_groups_s.NEXTVAL,
  'PENDING', 'VENDOR', v_transaction_type , SYSDATE, v_user_id, 0,SYSDATE, v_user_id,
  v_vendor_id, SYSDATE, 'Y'
  FROM DUAL;
  INSERT INTO rcv_transactions_interface
  (interface_transaction_id, GROUP_ID,
  last_update_date, last_updated_by, creation_date,
  created_by, last_update_login, transaction_type,
  transaction_date, processing_status_code,
  processing_mode_code, transaction_status_code,
  po_header_id, po_line_id, item_id, quantity, unit_of_measure,
  po_line_location_id, auto_transact_code,
  receipt_source_code, to_organization_code,
  source_document_code, document_num,
  destination_type_code,
  deliver_to_location_id,subinventory,
  header_interface_id, validation_flag)
  SELECT rcv_transactions_interface_s.NEXTVAL,
  rcv_interface_groups_s.CURRVAL, SYSDATE, v_user_id,
  SYSDATE, v_user_id, 0, 'RECEIVE', SYSDATE, 'PENDING',
  'BATCH', 'PENDING', v_po_header_id,v_po_line_id,
  v_item_id, v_quantity,
  v_unit_meas_lookup_code,
  v_line_location_id, 'DELIVER', 'VENDOR',
  v_organization_code, 'PO', v_po_number,
  v_destination_type_code,
  v_deliver_to_location_id, v_destination_subinventory,
  rcv_headers_interface_s.CURRVAL, 'Y'
  FROM DUAL;

  I went to Inventory > Setup > Organizations  
  but I do not see a place to open a period under an organization. If there is another place to go let me know.
  I looked under calendars but that does not have anything to do with periods as far as I can tell.

• 4S was replaced but my pictures are stuck at 50/300 downloading and the rest won't show up. How Do i Finish downloading this!

  I got my 4s replaced due to water damage. and everything else backed up but all my photos. It is stuck at 50/300 and it won't stop downloading either. I dont know how to stop it or get all my photos. What do i do?

  If you haven't already, you could force-quit Quicktime by using the menu option from the desktop (finder) and choose Quicktime.
  Not sure what you have frozen on the screen, be it a failed movie, or some unusual screen shot. If you can find by date (created) you may be able to look for .mov or quicktime suffix name or other video file content to delete it.
  And you may have to restart your computer and perhaps run repair disk permissions from Disk Utility's first aid on the hard disk drive in your computer.
  Not sure if all that would help now, but it is something a few days late...!
  Good luck & happy computing!

• When playing Cityville on Facebook through Zynga games when I pick to send friends giffts or request, the window opens up but no friends are there and only since installing Firefox yesterday.

  When you play Cityville (Zynga Games) from Facebook and want to send presents or ask for request, a box comes up with the request and usually all of your friends show up. Every since loading Firefox yesterday the box comes up but my friends names do not load. Everything else is OK.

  In Firefox 4 and later [http://kb.mozillazine.org/Safe_mode Safe mode] disables extensions and disables hardware acceleration.
  *Tools > Options > Advanced > General > Browsing: "Use hardware acceleration when available"
  If disabling hardware acceleration works then check if there is an update available for your graphics display driver.

• Adding Client to open Directory

  I am trying to add a client machine to Open Directory but it will not bind. It gives me a error
  Unable to add server
  An unexpected error of typr -14142 (eDDSchemaError) occurred.
  When I try to add the machine it will say machine is already in OD, but I look in OD is is not their. It will not let me over write the machine in OD eather.
  Thanks

  Is this machine a clone of another machine? My guess is you did not reset the local KDC. This will cause the issue you are describing. You need to do the following on all cloned machines as they will all contain the unique identity of the original master's LKDC. The machine that is the master does not need to be altered.
  1: Open Keychain Access.
  2: Select the System keychain.
  3: Find the three entries labeled com.apple.kerberos.kdc and delete them from the System keychain.
  4: Open Terminal
  5: Run this command to destroy the local Kerberos DB (you will need to authenticate as initial admin):
  sudo rm -R /var/db/krb5kdc
  6: Run this command to rebuild a unique LKDC for this machine:
  sudo /usr/libexec/configureLocalKDC
  7: Repeat this on all cloned machines.
  Once complete, you have re-run Directory Utility and perform your bind. You will now be creating a machine record with a unique LKDC value in OD.
  PS: You can do these steps 1 through 5 pre-cloning to avoid the issue. Then once cloned, run step 7 as a post-cloning step.
  Hope this helps.
  Message was edited by: Strontium90 - added the PS

• Ubuntu Karmic authentication against Snow leopard open directory server

  Hi,
  I'm looking for help. I've tried to configure an installation of Karmic to authenticate against our office's open directory server running on an osx snow leopard server. Currently `getent password` show all users including those from the open directory server when running the command as both root and normal users. However authentication against the open directry users fails with the following messages in the /var/log/auth.log:-
  Dec 7 22:42:05 [hostname] getent: nss_ldap: failed to bind to LDAP server ldap://server.domain.com: Invalid credentials
  Dec 7 22:42:05 [hostname] getent: nss_ldap: could not search LDAP server - Server is unavailable
  (I've changed the hostname and ldap url)
  /etc/ldap.conf has:-
  base dc=server,dc=domain,dc=com
  ldap_version 3
  rootbinddn cn=diradmin,dc=server,dc=domain,dc=com
  bind_policy soft
  pam_password md5
  /etc/ldap.secret is set to the password of the diradmin user and has a permission mask of 600
  /etc/pam.d/common-passwd :-
  password sufficient pam_ldap.so md5
  password required pam_unix.so nullok obscure md5
  password optional pam_smbpass.so nullok use_authtok tryfirstpass missingok
  /etc/pam.d/common-auth:-
  auth [success=2 default=ignore] pam_unix.so nullok_secure
  auth [success=1 default=ignore] pam_ldap.so usefirstpass
  auth requisite pam_deny.so
  auth required pam_permit.so
  /etc/pam.d/common-account:-
  account [success=2 newauthtokreqd=done default=ignore] pam_unix.so
  account [success=1 default=ignore] pam_ldap.so
  account requisite pam_deny.so
  account required pam_permit.so
  /etc/pam.d/common-session
  session [default=1] pam_permit.so
  session requisite pam_deny.so
  session required pam_permit.so
  session required pam_unix.so
  session optional pam_ldap.so
  session optional pamckconnector.so nox11
  Does anyone have any ideas where to go from here?
  Message was edited by: zebardy

  Hi
  It's easy enough to 'connect' any version of OS X Server to any other version of OS X Server. Use the Join button in the Users & Groups Preferences Pane. Alternatively use the Directory Utility itself.
  You seem to be misunderstanding what an Open Directory Master and Replica are? They are not what I think you think they are. They are not a 'back-up' of each other if you're providing more than the shared Directory Service.
  An OD Replica maintains a read-only copy of the LDAP Database (Usernames, Passwords and Policies etc) that's stored on the OD Master and nothing more. If the Master was to go offline for any reason the Replica can be quickly promoted to a Master Role and continue to provide information for the shared directory. This assumes it has easy and quick access to the Volume storing networked home folders? The LDAP Database in that case would then become writable. Later on and whenever you've fixed the problem with the old Master it can quickly be demoted and made a Replica of the now new Master.
  Although this is for 10.6 Server (it is nevertheless still applicable) everything you need to know about Master and Replica relationships is here:
  http://manuals.info.apple.com/en_US/OpenDirAdmin_v10.6.pdf
  Page 55 onwards.
  From Page 64:
  "The Open Directory master and its replicas must use the same version of Mac OS X Server. . ."
  If your OD Master is also providing Mail, Calendar and Contact Services then none of these will be replicated. You will have to maintain a backup of these databases yourself using whatever method you deem fit for your needs.
  HTH?
  Tony

• How to create email users with open directory?

  I'm trying to used a mac mini as a mail server for my domains. It works well for SMTP server/gateway for multiple locally networked systems running Lion, Mountain Lion and Maverick. The server is running Mavericks 10.9.2 server 3.1.1.
  I need to add email users to it, so I tried Open Directory. I added a user with an email address with a domain listed in the mail server's domains. Then used the server app to give the user permission to use the mail service and selected to have the mail be saved on the server.
  However, even though I set the mail server to accept any authentication method, I couldn't log in to get mail (via IMAP) from any email client on my computer. I tried Mail and Sparrow.
  The IMAP log on the server says 'Disconnected (auth process communication failure)'. I tried everything that I could from the server app and the workgroup manager app. When using 'Mail.app', the IMAP log shows an empty user name. Trying with Sparrow shows the user name in the log, but still fails.
  I restricted authentication to Open Directory, but that didn't help either. Tried with Secure Connection and without.
  Am I missing something? Is there anything that I need to do to make the server accept IMAP connections? The mail service is running and handling SMTP.
  The domain has an MX record pointing the server's domain name.
  All the services are secured with a self signed certificate.
  Doing a CLI check with 'sudo serveradmin fullstatus mail' results in the following:
  [snip]
  mail:protocolsArray:_array_index:0:status = "ON"
  mail:protocolsArray:_array_index:0:kind = "INCOMING"
  mail:protocolsArray:_array_index:0:protocol = "IMAP"
  mail:protocolsArray:_array_index:0:state = "RUNNING"
  mail:protocolsArray:_array_index:0:service = "MailAccess"
  mail:protocolsArray:_array_index:0:error = ""
  [snip]

  Didn't find a way to edit my post above.
  UPDATE:
  Trying to log in with Thunderbird showed differently in the IMAP log. It's user disabled instead.
  imap-login: Info: Disconnected (user disabled): user=<username>, method=CRAM-MD5, rip=192.168.8.101, lip=192.168.8.99, TLS
  How do I 'enable' this user?

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• Active Directory Open Directory Disable Users

  Can you make an Active Directory Account disabled in the Open Directory, but still have it function in Active Directory?
  We are trying to disable a generic lab account in Active Directory from being able to comment on our Blog Pages.

  Hi
  Did you read what you typed before you posted? Because the question does not make sense and contradicts itself.
  Users that exist in the AD node do not as such exist in the OD node. In the OD node you are simply looking at them as they are presented to you from AD. Neither can you disable AD accounts from the OD node. You have to do that on the AD itself.
  If you have enabled augmented records for AD users then disable them using the reverse process you used to enable them. That way AD users are stopped from commenting Blog Pages but are still active in AD.
  Tony

• Open Directory & Active Directory

  Dear Mac community,
  We got a couple of Mac servers running in our company and we have around 140 Mac clients running in our company. We use Open directory for the policies on our macs and we use active directory for all of our computer accounts. Cause we mainly use RDP for Mac to connect to a terminal server except our graphical department.
  This works perfect but now we have adjusted our password policy in Active directory and users must change password when they first login they do that on the mac witch authenticates with Active Directory. After typing there username and password like normal they get a new windows witch notify the user to change there password and conform it and a hint to fill in, after they fill this in they can't get pass that window, it just shakes so it does not work.
  Any answer would be appriciated.

  Hi, can you help me how to put a windows machine on active directory on my MacOS X Server 10.6 ?
  Thank You!
  Reynolds

• Can't create new open directory user

  hi.
  If I use the workgroupmanager to create a new user it automatically creates one with a "crypt" password.
  first it is shown as open directory, but then if I re-load, it says "crypt" password.
  If I try to change it to open directory the system tells me that I am not authorized to do so.
  it does not matter if I try the workgroupmanager locally or via my macbook remotely.
  if I create them via the server preferences it works fine.
  since I am a newbie here, maybe I am doing something wrong... ideas? please.
  thanks.
  martindavid

  Check out this tread, you are not alone but there doesn't seem to be a single solution...
  http://discussions.info.apple.com/thread.jspa?threadID=2262981
  I had this code and MY solution came from the fact that I had turned OFF DNS because I couldn't see that "I" was using it. turning it back on and ensuring that it was correctly configured solved it for me!

• Windows users and open directory

  Since Server for 10.7 I've found I've had to create Windows users as local users rather than local network users to give them access to shares via SMB. Is this correct, or am I missing something? I was aware that you can't bind a Windows PC to Open Directory, but can it not authenticate at all through OD?
  thanks

  If I understand your question, then you are looking for a tool like Centrify.  This will put all management on one platform.

• Exception in servermgr_accounts when creating open directory master...

  Just to give you some background, I'm new to Mac Os X Server. And I'm trying to get a mail/ical/web-server with "open directory" setup. The server is placed in a remote location, behind a NAT-firewall.
  I thought I hade everything setup, took a while to figure out the DNS-configs. But I managed to get everything working, and apply the server through a NetworkAccountServer on a client.
  When I wanted to setup some e-mail aliases for my e-mail accounts, I remembered I hade seen that in "Server Preferences".
  But when opening "Server Preferences" i got the following message:
  "Multiple errors occurred on the server while processing commands. Use the Console application to view the error messages.", I could access everything accept Users and Groups, when clicking these it tried to create a new open directory.
  The Console App shows this Message:
  2/4/11 1:15:31 AM servermgrd[3725] servermgr_accounts: noteDirectoryNodeAdded (reopening nodes)
  2/4/11 1:15:31 AM servermgrd[3725] * Terminating app due to uncaught exception 'NSUnknownKeyException', reason: '[<NSCFDictionary 0x102021680> valueForUndefinedKey:]: this class is not key value coding-compliant for the key VR.'
  * Call stack at first throw:
  0 CoreFoundation 0x00007fff878fc7b4 __exceptionPreprocess + 180
  1 libobjc.A.dylib 0x00007fff890ce0f3 objcexceptionthrow + 45
  2 CoreFoundation 0x00007fff87954969 -[NSException raise] + 9
  3 Foundation 0x00007fff87e61c92 -[NSObject(NSKeyValueCoding) valueForUndefinedKey:] + 245
  4 Foundation 0x00007fff87d915a8 -[NSObject(NSKeyValueCoding) valueForKey:] + 420
  5 Foundation 0x00007fff87d8d0f6 -[NSDictionary(NSKeyValueCoding) valueForKey:] + 173
  6 servermgr_accounts 0x00000001005799c1 scDynamicStoreNotificationCallback + 25876
  7 servermgr_accounts 0x0000000100579948 scDynamicStoreNotificationCallback + 25755
  8 servermgr_accounts 0x0000000100577648 scDynamicStoreNotificationCallback + 16795
  9 servermgr_accounts 0x0000000100573521 scDynamicStoreNotificationCallback + 116
  10 SystemConfiguration 0x00007fff82273dad rlsPerform + 115
  11 CoreFoundation 0x00007fff87899401 __CFRunLoopDoSources0 + 1361
  12 CoreFoundation 0x00007fff878975f9 __CFRunLoopRun + 873
  13 CoreFoundation 0x00007fff87896dbf CFRunLoopRunSpecific + 575
  14 Foundation 0x00007fff87dc08e4 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 270
  15 Foundation 0x00007fff87dc07c3 -[NSRunLoop(NSRunLoop) run] + 77
  16 servermgrd 0x0000000100003f13 0x0 + 4294983443
  17 servermgrd 0x0000000100001388 0x0 + 4294972296
  18 ??? 0x0000000000000002 0x0 + 2
  2/4/11 1:15:31 AM com.apple.launchd[1] (com.apple.servermgrd[3725]) Job appears to have crashed: Abort trap
  2/4/11 1:15:31 AM com.apple.ReportCrash.Root[3831] 2011-02-04 01:15:31.997 ReportCrash[3831:2a03] Saved crash report for servermgrd[3725] version ??? (???) to /Library/Logs/DiagnosticReports/servermgrd2011-02-04-011531localhost.crash
  2/4/11 1:15:32 AM edu.mit.Kerberos.kadmind[3848] kadmind: starting...
  2/4/11 1:15:33 AM Server Admin[1931] Error '-1' when applying directory role change
  2/4/11 1:15:34 AM com.apple.launchd[1] (edu.mit.Kerberos.kadmind[3848]) Exited with exit code: 2
  2/4/11 1:15:34 AM com.apple.launchd[1] (edu.mit.Kerberos.kadmind) Throttling respawn: Will start in 9 seconds
  2/4/11 1:15:34 AM com.apple.launchd[1] (edu.mit.Kerberos.krb5kdc) Throttling respawn: Will start in 9 seconds
  2/4/11 1:15:43 AM edu.mit.Kerberos.kadmind[3951] kadmind: starting...
  2/4/11 1:15:51 AM com.apple.launchd[1] (com.apple.suhelperd[4009]) Exited with exit code: 2
  I tried reseting the "Open Directory Service" in "Server Admin", by setting it to "standalone directory".
  It did stop the "Open directory", but the console was again showing the message above.
  With the server in stand-alone mode, I could access "Server Preferences" again, but as soon as I create an "Open Directory again", it fails with the above error, and I cant access the Open Directory from Server Preferences.
  To summarize, the message shows when:
  1. Creating an Open Directory Master.
  2. Removing a Open Directory Master.
  3. Entering Server Preferences with Open Directory Master running.
  A wierd thing is that the "Open directory" seems to be fine. I can manage it in "Workgroup manager", login to webmail, calenders, VPN etc. I just can't manage it from "Server Preferences".
  I did make som misstakes in the beginning (primarly not setting a proper host-name before creating the first "Open Directory", and also having a local-user with the same short-name as a user in the "Open Directory") But that should all solved now.
  Any Idea's on what could be wrong?
  Where else can I set e-mail aliases for my "Open Directory" users? Is it possible for them to administer aliases themselves?
  Thanks in advance!
  PS. Anyone have any tips on mail-forwarding to multiple external accounts? Do I really need to edit this manually in /etc/postfix/aliases? Is there anyway I can let my users administer forwarding?

  If anyone else has similar issues, I didn't find a solution. Re-installed the server from scratch...