Home Folder Creation w/Active Directory

Similar Messages

• Automate the creation of Active Directory users with organization/address information

  On one of our Domain Controllers we regularly have to create new users with fully populated organisation/address information, as they use a server-side application which appends email signatures at the end of all of their emails created from this information.
  At the moment we have to fill this information out manually and it can sometimes cause inconsistencies if the information is not uniform or is typed incorrectly.
  Is there any way to automate this/do it in bulk?

  This is another Powershell script that can be used:
  http://www.wictorwilen.se/how-to-use-powershell-to-populate-active-directory-with-plenty-enough-users-for-sharepoint
  Note that you have two ways to do that:
  Create a new User account Provisioning script and include the Street update as part of it
  Have a daily scheduled script that will run against your users OUs and update the Street address for user accounts having it wrong or missing
  From my point of view, option 2 would be the best as it will make a Bulk update and Bulk correction if required.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Home folder Creation problem solved (for me anyway)

  I have had an issue where when I asked my server to create home folders it was not making them. I also tried all the usual things like removing the share, sudo createhomedir -a and even ran the combo updater on the server again all to no avail. Upon looking at another server that was creating home folders I found that when I selected Network in the Finder SideBar there was an alias of Servers. This alias on the working server showed an alias of the server HD and in turn showed the contents of that drive. On the server that was not working the Servers alias in Network was an alias of a white document and showed nothing.
  What i had to do to fix this was to open Terminal and su to root, cd /automount, rm Servers and restart. When this was done going to Network in the sidebar and selecting Servers then showed an alias of my server HD which in turn showed the contents of the drive. I then used WGM to remove the network mount for home dir's and stopped sharing the folder. I then re-enabled the share and then set the home dir mount again. After this it succesfully created the home folders in that dir when asked to and I was then able to log in and manage the account.
  I hope this is of some use to others...
  regards Gary.
  PowerBook G4 1.67   Mac OS X (10.4.7)  

  great stuff, last time this happened to me i just backed up the directory and formated reinstalled restored and it worked, took 3 hours...this would take a lot less time... post this in mac os x hints to eh..
  Cheers
  Rob

• Best practice for Active Directory User Templates regarding Distribution Lists

  Hello All
  I am looking to implement Active Directory User templates for each department in the company to make the process of creating user accounts for new employees easier. Currently when a user is created a current user's Active directory account is copied, but
  this has led to problems with new employees being added to groups which they should not be a part of.
  I have attempted to implement this in the past but ran into an issue regarding Distribution Lists. I would like to set up template users with all group memberships that are needed for the department, including distribution lists. Previously I set this up
  but received complaints from users who would send e-mail to distribution lists the template accounts were members of.
  When sending an e-mail to the distribution list with a member template user, users received an error because the template account does not have an e-mail address.
  What is the best practice regarding template user accounts as it pertains to distribution lists? It seems like I will have to create a mailbox for each template user but I can't help but feel there is a better way to avoid this problem. If a mailbox is created
  for each template user, it will prevent the error messages users were receiving, but messages will simply build up in these mailboxes. I could set a rule for each one that deletes messages, but again I feel like there is a better way which I haven't thought
  of.
  Has anyone come up with a better method of doing this?
  Thank you

  You can just add arbitrary email (not a mailbox) to all your templates and it should solve the problem with errors when sending emails to distribution lists.
  If you want to further simplify your user creation process you can have a look at Adaxes (consider it's a third-party app). If you want to use templates, it gives you a slightly better way to do that (http://www.adaxes.com/tutorials_WebInterfaceCustomization_AllowUsingTemplatesForUserCreation.htm)
  and it also can automatically perform tasks such as mailbox creation for newly created users (http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomateExchangeMailboxesCreationForNewUsers.htm).
  Alternatively you can abandon templates at all and use customizable condition-based rules to automatically perform all the needed tasks on user creation such as OU allocation, group membership assignment, mailbox creation, home folder creation, etc. based on
  the factors you predefine for them.

• Managing Office 365 Components for a large enterprise using Active Directory

  Opening Office 365 to a large enterprise (7000 users) implies some controls be placed around who can subscribe to what and which Add-Ons a user might have/need/desire access to.
  To place these controls around, for example, licensing Project Online to individual users, we are proposing creation of Active Directory groups for each add-on and use powershell or other method to read the AD FS user groups, then flip the bit on the O365
  user profile for that member to allow them to select the Add-On.
  At any point in time, our Asset Management team can use the AD group to determine licensing distribution and chargeback to internal cost centers.
  Does this seem like a viable approach?
  Any other approaches that have worked?

  John,
  After your users and home profile paths are created in AD - have your tried running the createhomedir command from Terminal? Assuming your AD plugin settings are correct on your server - specifically the 'Use UNC path...' - try running the command (in Terminal) below on your document (home folder) server:
  sudo createhomedir -s
  This command should query your server's search path (check the path using Directory Utility - located in /SystemLibrary/CoreServices) and find any users (preferably your AD network accounts - that's the -s option) that should have home folders on that server and create them. Note that this command nust be run as root - hence the sudo
  To test - try creating a new AD user and point their profile to your Mac sharepoint - then run the command. You could also run the command on your Mac server to create an account for just the new user - just add their name at the end of the command above:
  sudo createhomedir -s newusername
  Hopefully one of these suggestions will work for you...
  Ken

• Home Folder Help

  Hi all...
  Okay, so I need a quick fix on something until I can get it fixed properly. Basically, I accidentally created another home folder in my users directory. I fixed everything I could, but Safari is still grabbing preferences from the old home directory.
  For example, every time I open safari I change the homepage default. But each time I restart my computer it reverts to the orginal homepage default (apple.com.)
  Here's the thing: I want to change the place safari draws its preferences from. I need to point Safari to my new home folder, not the old one. Is there any way to do this? Doesn't seem to be anything in preferences.
  I plan to take the whole thing to the mac store and have them help me resolve it. Until then, though, I'd like to do something to fix it!
  Thanks in advance for any advice!

  The solution method is here:
  Recover from renaming your Home folder.
  Also, see Recover from renaming your Home folder.
  If you get straightened out and still wish to change your Home folder's name, then read this article:
  Mac OS X- How to change user short name or home directory name.

• AFP Home Folder Issue?

  Well I set-up a Home Folder on the Open Directory Server and it created the Folder but when I go to login from a machine it gives me an error of: The "Home" folder for user "Jesse" cannot be found in its usual place.. So I logged into it from an admin account on the same box to see if I could just connect and see the files and it came up just fine. Any ideas or if you need more info let me know. Thanks everyone.
  Powerbook G4   Mac OS X (10.4.7)  

  What is the OS of the client machine, and, more importantly, what does you Directory Access settings on the client look like?
  You could trash /Library/Preferences/Directory Access and edu.mit.kerberos on the client and re-bind for starters. In my experience, deleting the Directory Access information does not fix network home folder login problems nearly as well.

• Mobile Account and Active Directory home folder

  We install a XServe server (Mac OS X 10.6.3). We join it to Active Directory for authentification and Open Directory for policy. I read the magic triangle on the web.
  I mount a MacBook Pro with Mac OS X 10.6. I join it to AD and after to OD. When I configure an account to be mobile, the home folder configure in AD stop to mount automatically. If the account is not mobile the home folder mount correctly.
  Somebody has an idea of waht happen?

  Hello, sifeduc, and welcome to the AppleBoards,
  This really seems like a Directory Services question and is probably best suited to this board: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said are you talking about Portable Home Directories? If so PHDs should be created on the server first and on the client second. If you have a client account you want to sync to the OD you need to delete the client account - *but leave it in place* - create a server account and then use the local account which will then sync to the server. The steps for this are a little more complicated than that but not much.
  Good Luck,
  =Tod

• Home folder in active directory

  Hello,
  My environment is a Microsoft Active Directory 2008 SP2 domain environment. Our users home drives are hosted on a Windows server. Upon login on a Mac workstation, the user's home drive should be mapped automatically and appears on the dock.
  I'm working with Mac OS x 10.6.8 on the machine. The home drives start mounting on the dock as a "?" icon and aren't accessible. I can create a manual mapping of the shared network folder and that works fine, but it's the automatic mapping done by Active Directory that isn't working properly and I'm frankly stumped at the moment.
  Does someone can help me ?
  Thank you,
  Olviier

  Hello, no experience with AD, but once you manually map the Shared Network folder, try dragging that to the right side of the dock between Applications & Trash.

• Active Directory Integration and home folder mounting

  Hello,
  I've set up a G4 tower with Tiger 10.4.4 and bound it to our AD domain. Authentication works perfectly, however the home directories of the users (on smb shares on windows servers) do not mount consistently. At first I thought that it was working for administrative users but not for regular users, but one of our test accounts which has no admin priv's works perfectly. It does seem to work consistently for admins, though.
  Most regular users are given a local home directory. Has anyone seen this? Any thoughts? Is there any particular log file that I might check for clues?
  I'll try get in a little later to post the output of dsconfigad -show , which might help...
  Anyhow any help will be appreciated..... thanks!
  -Jonathan

  I have been working on doing this as well. If I set the 'mount home directoy' property in the user in Active Directory Users and Computers it has worked for all users and I did not have to specify anything in the AD connector on the Macs.
  Robert

• Active Directory authentication, OS X network homes on Xserve

  Hi
  I'm looking for a general guide/tips for our deployment of OS X in our Windows network.
  Everyone in our institution has an Active Directory account.
  We also have an Xserve 10.4.4 running as an OD Master with 400 accounts for people who use Macs. It shares out OS X network home folders for these accounts. This means these people have a seperate AD and OD account.
  We aim to get these users authenticating with AD on the Macs and seeing a network home that will ultimately be a combination of an OS X folder (Public, Sites) and a Windows folder (My documents etc.)
  We can backup the data in their existing OS X home folders for them to pull into the new homes that will be created for them through AD authentication.
  We can successfully bind the Xserve and client Macs to AD. We have a group of AD users in WGM. MCX preferences are enforced at computer level.
  The big questions are:
  How do we tackle the mapping of a (OS X/Windows combo) home folder stored on the Xserve for new Active Directory accounts when they are created?
  What could we do with AD/OD current users existing Active Directory folders when they start to use AD to authenticate on the Macs (current OS X home data will be backed up and pulled in to new OS X accounts later) ?
  Do we definately need Kerberos running on the Windows server ?
  What would happen to an existing AD/Windows-only user with a Windows folder mapped to an SMB/Windows server share if they authenticated to OS X for the first time - local home creation (default/forced) ?
  Any advice appreciated - we have Windows/Mac people working in harmony here and we're close to what we want!
  Many Thanks

  Try this (on the client computer):
  Login locally using a user with administrator privileges.
  Connect to your office's wireless network, save the credentials, and then make sure you check the "Connect automatically" checkbox.
  Open a command prompt window and type the following command to find the profile name of your wireless network: netsh
  wlan show profiles
  Let's say the profile to use in the example is "office-network". Open regedit and
  look for the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Create a new String Value (REG_SZ) at that location, and name it anything you want (i.e. WIFI_Connect), and enter the following command string: %comspec%
  /c netsh wlan connect name="<profile name>" where profile name in our example would be "office-network".
  Reboot the laptop for this to take effect.
  If it still doesn't work or fails to connect to your office network at pre-logon, try enabling the following Local Group Policy (using gpedit.msc): Computer
  Configuration\Policies\Administrative templates\System\Logon\Always wait for the network at computer startup and logon.
  These step still require the wireless network to be your domain network as Windows can only Cache 50 credentials maximum.
  Don't forget to mark the post that solved your issue as &quot;Answered.&quot; By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

  This is for information to help others
  KEYWORDS:
    - Sharing EFS encrypted files over a personal lan wlan wifi ap network
    - Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
    - transfer encryption keys / certificates
    - set trusted delegation for user + computer for EFS encrypted files via
  Kerberos
    - Windows Active Directory vs network file share
    - Setting up WinDAV server on Windows 7 Pro / Ultimate
  It has been a long painful road to discover this information.
  I hope sharing it helps you.
  Using EFS on Windows 7 pro / ultimate is easy and works great. See
  here and
  here
  So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
  HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
  won't work (unless you follow below steps).
  Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
  Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
  Why such a EFS drama when a network is involved?
  Assume a home peer-to-peer network with 2pc:  \\fileserver  and  \\clientpc
  When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
  another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
  (on behalf of the clienpc's data request).
  This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
  file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
  Solutions
  There are two main approaches to solve this:
       1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
            EFS operations occur on the computer storing the files.
            EFS files are decrypted then transmitted in plaintext to the client's computer
            This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
       2) SOLVE by setting up WebDAV (efs files accessed through web folders)
             EFS operations occur on the client's local computer
             EFS files remain encrypted during transmission to the client's local computer where it is decrypted
             This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
             BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
           READ BELOW as this does
  Create new encrypted file / folder on a network file share - via Active Directory
  It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
  here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
  and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
  Although this info is NOT for setting up EFS on an active directory domain [server],
  for those interested here is the gist:
  Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
  account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
  EFS.
  NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
  Create new encrypted file / folder on a network file share - via WebDAV
  For home users it is possible to make it all work.
  Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
  Setting up a wifi AP (for those less technical):
     a) START ... CMD
     b) type (no quotes): "netsh  wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
     c) type (no quotes): "netsh  wlan start hostednetwork"
  Set up a WebDAV server on Windows 7 Pro / Ultimate
  -----ON THE FILESERVER------
     1  click START and type "Turn Windows Features On or Off" and open the link
         a) scroll down to "Internet Information Services" and expand it.
         b) put a tick in: "Web Management Tools" \ "IIS Management Console"
         c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
         d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
         e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
         f) click ok
         g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
  KB892211 here ONLY for XP + Server 2003 (made in 2005)
  KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
    2 Click START and type "Internet Information Services (IIS) Manager"
    3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Enable WebDAV"
    4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
         a) on the "Anonymous Authentication" and click "Disable"
         b) on the "Windows Authentication" and click "Enable"
        NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
          It can be by changing registry key:
             [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
             BasicAuthLevel=2
         c) on the "Windows Authentication" click "Advanced Settings"
             set Extended Protection to "Required"
         NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
    5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Add Allow Rule"
         b) set this to "all users". This will control who can view the "Default Site" through a web browser
         NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
  clientpc.
         NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
    6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
         a) on the right side, under Actions, click "Enable"
  HOTFIX - double escaping
    7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
         a) on the right side, under Actions, click "Edit Feature Settings"
         b) tick the box "Allow double escaping"
       *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
       These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
       This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
  file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
    8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
         a) set the Alias to something sensible eg "D_Drive", set the physical path
         b) it is essential you click "connect as" and set
  this to a local user (on fileserver),
         if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
               NB: the user account selected here must have the required EFS certificates installed.
                          See
  here and
  here
          NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
        This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
         The work around is on the \\fileserver create an NTFS symbollic link
            e.g. to share the entire contents of "D:\",
                  on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                  in cmd in this folder create an NTFS symbolic link to "D:\"
                  so in cmd type "cd c:\inetpub\wwwroot"
                  then in cmd type "mklink /D D_Drive D:\"
          NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
           NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
  clientpc
    9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
         a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
         b) if some exist review existing allow or deny.
             Take care to not only review the "allow access to" settings
             but also review "permissions" (read/write/source)
         NB: this can be set here for all added virtual directories, or can be set under each virtual directory
    10 Open your firewall software and/or your router. Make an exception for port 80 and 443
         a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
               choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
            NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
  below, specifically "Cant find server due to network location"
         b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
  HOTFIX - MAJOR ISSUE - fix KB959439
    11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
        a) On Windows 7 you need only change one tiny registry value:
             - click START, type "regedit", open link
             -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
             -on the EDIT menu click NEW, then click DWORD Value
             -Type "DisableEFSOnWebDav" to name it (no speech marks)
             -on the EDIT menu, click MODIFY, type 1, then click OK 
             -You MUST now restart this computer for the registry change to take effect.
        b) On Windows Server 2008 / Vista / XP you'll FIRST need to
  download Windows6.0-KB959439 here. Then do the above step.
           NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
    12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
              It should show the default "IIS7" image.
              If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"           
          c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                  e.g. http://localhost/D_drive
              If nothing is listed, check "Directory Browsing" is enabled
    13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
                eg if your server's computer name is "fileserver" go to "http://fileserver:80"
                It should show the default "IIS7" image. If not, check firewall and port blocking. 
                Any issue ie if (12) works but (13) doesn't,  will indicate a possible firewall issue or router port blocking issue.
         c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
                 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
                 A directory listing of files should appear.
  --- ON EACH CLIENT ----
  HOTFIX - improve upload + download speeds
    14 Click START and type "Internet Options" and open the link
          a) click the "Connections" tab at the top
          b) click the "LAN Settings" button at the bottom right
          c) untick "Automatically detect settings"
  HOTFIX - remove 50mb file limit
    15 On Windows 7 you need only change one tiny registry value:
        a) click START, type "regedit", open link
        b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
         c) click on "FileSizeLimitInBytes"
         d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
  HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
   16 On each clientpc click START, type "Internet Options" and open it
           a) click on "Security" (top) and then "Custom level" (bottom)
           b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
           SUCH an easy fix. SUCH an annoying problem on a clientpc
     NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
  explorer.
  TEST SETUP
    17 On the client use the normal "map network drive"
              e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
              e.g. CMD: net use * "http://fileserver:80/C_drive"
           If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
  "manage network passwords") has NTFS permissions.
    18 Test that EFS is now working over the network
         a) On a clientpc, map network drive to http://fileserver/
         b) navigate to a folder you know on the \\flieserver is encrypted with EFS
         c) create a new folder, create a new file.
             IF it throws an error, check carefully you mapped to the WebDAV and not file share
                i.e. mapped to "http://fileserver" not "\\fileserver"
             Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
  account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
         d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
         e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
  clientpc decrypted it then copied it).
          If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
          If this is not readable check step (11) and that you restarted the \\fileserver computer.
    19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
        a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
              If a prompt for user+pass then check hotfix (16)
    20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
        a) see the last comment at the very bottom of
  this page: 
  Points to consider:
     - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
  either.
    - CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
  MORE INFO: HOTFIX: RAW DATA TRANSFERS
  More info on step (11) above.
  Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
  it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
  Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
  Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
  Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
  file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
  There is a fix:
        It is implimented above, see (11) above
        Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
  Other problems + fixes
    PROBLEM: Can't find server due to network location.
       This one took me a long time to track down to "network location".
       Win 7 uses network locations "Home" / "Work" / "Public".
       If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
       This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
       FIX = either set IP address manually and specify a gateway
       FIX = or  force "unidentified" network locations to assume "home" or "work" settings -
  read here or
  here
       FIX = or  change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
  login to gain file access.
    PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
         By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
        Read
  here (i've posted a batch script to automatically make the required reg files)
  I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

  What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

• Active Directory Authentication, AFP Home Folders in the wrong place!

  Hi,
  I've had this problem off and on... that is, it comes and goes, so I'm not really able to effectively troubleshoot it. My setup is this:
  -Xserve G5, Mac OS X Server 10.4.7
  -OD Master bound to AD for authentication
  -Hosts AFP and SMB shares, all stored on Xserve RAID
  On the RAID, I have a folder called Users (/Volumes/XserveRAID/Users) that is shared via AFP. The system Users folder (/Users) is not shared. In fact, nothing at all on the root drive is shared. All share points are on /Volumes/XserveRAID/. All Mac users' home directory profiles are pointed to \\servername\Users\username (in Active Directory Users and Computers application on our domain controller). Their home directories mount automatically when they log into their client machines (also bound to AD).
  The problem is this; at seemingly random times, a user's home folder will all of a sudden be created in /Users on the server, and it will not use the /Volumes/XserveRAID/Users/ folder. I will clean out /Users every now and again, but the errant home folders show back up. The only folder that should be in /Users is the local admin.
  Since /Users is not even shared, how is it doing this? Why is it that sometimes the /Volumes/XserveRAID/Users share is used (I know this because there are users' files in their folders in the proper place) and sometimes it's going to /Users? Any ideas? Thanks in advance!!
  Going slightly mad,
  Jason

  Hi there,
  Just wanted to share my make-due solution.
  I have setup the automount sharepoint at "/Data/Home".
  When I logged in or tried to use createhomedir in terminal, nothing happened but users could login (even though there was no home folder on the sharepoint for them).
  I have created the Home Folders manually "/Data/Home/username" and then logged in again. When I did this it created two folders in the home dir:
  -Desktop
  -Library
  The other icons related to the home dir on the Dock remain big "?" 's.
  So I manually added them and assigned them the propper rights.
  Now users can log in without any problems, network home folders are working.
  So essentially I got thing s to work, luckily I have only a hand full of Mac Users, Imagine having a user base in the hundreds !
  Thinking about this really makes me want to know how I can fix this problem, I have a make shift solution but this really isn't the way to go. When I use the createhomedir command, it says "creating homedir on servername.domain.net" and it seems to be busy for like 20 - 30 secs, but after that nothing has changed.
  I've checked all possible locations on the server (i thought maybe it might have made local accounts on server by accident, but it didn't.)
  If anyone has ANY idea, please share.
  Thx!!
  Have a nice day

• Use UNC path from Active Directory to derive network home location

  Good Morning
  I am trying to get my Macbooks to conenct to a Windows Server 2003 home directory. I have followed the steps in the following article with no luck:
  http://docs.info.apple.com/article.html?path=serveradmin/10.4/en/c7od49.html
  I can bind to the Microsoft Active Directory with no problems and I can connect to the file share on the server that I want to make the network home location, but I can't get it to work automatically as I would expect it to.
  We will have hundreds of users connecting that will need their home folders redirected to the network folder location.
  Any help would be appreciated.
  Thanks

  I forgot to mention that before upgrading to 10.8.4 the login item below was present:
  Item: SMB://network path
  Kind: Unknown
  After the upgrade:
  Item: Unknown
  Kind: Unknown
  After restart it disappears and never returns (again, this only occurs for admins)

• 10.6 home directory mounting with active directory and open directory integration

  Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
  For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
  I feel like this is the problem with the home folders not mounting.
  Can anyone provide some help with this?
  Thanks,
  Dani

  Hi dani190,
  are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
  If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
  For the contact search path, did you put the AD at the top the list? (in directory utility)
  Did you set the WINS work group on your client computer to your domain?
  ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com