Home folder in active directory

Similar Messages

• Adobe Premier Pro CS6 domain account's home folder causes crash?

  Hello All,
  Background: We set our user’s home folder in active directory so that when things get saved to their documents folder they get saved to their network folder. This works fine, and hasn’t given us problems until now.
  Adobe Premiere Pro from the CS3 suite has worked on a Win7 64bit HP  desktop computer for some time now. Recently Adobe Premiere Pro has been installed along with the rest of the CS6 Master Suite on this machine.
  Problem: Whenever we open Premier Pro CS6 as a user that has their home folder set to the network the entire application crashes immediately.
  Solution: After some Googling and expirementing I’ve determined that the problem is the home folder. If the home folder is set to the network when the user first opens Premiere Pro, it crashes and will always crash even if the settings are changed. If the home folder is not set, Premiere Pro will not crash and never will even if the settings are changed.
  I think the reason this works is that premiere stores some information in the documents folder. Since changing the user home folder settings is not an option, I’d love to find another way. I’m thinking there’s probably a way to change where Premiere Pro stores the files, but I’m not sure where this would be nor how to make these settings apply to all users. Any ideas? Or alternate solutions that I haven't noticed? –Ben M 

  This Drive C space http://forums.adobe.com/thread/1007934?tstart=0 discussion may help

• Sidebar Home Folder Script

  I have 10.3.9 MAC's authenticating to Active Directory fine. When the user logs in they get their home folder from active directory on the Dock and the server share mounts to the desktop and is available in the Finder Sidebar. I am looking to write a login script to add the users home folder in the sidebar in addition to the Dock.
  This can be accomplished by dragging their home folder into the sidebar and it writes it to ~/Library/Preferences/com.apple.sidebarlists.plist. Not all users have the home folder in the same location, so the script will have to address this.
  Thanks

  I have 10.3.9 MAC's authenticating to Active Directory fine. When the user logs in they get their home folder from active directory on the Dock and the server share mounts to the desktop and is available in the Finder Sidebar. I am looking to write a login script to add the users home folder in the sidebar in addition to the Dock.
  This can be accomplished by dragging their home folder into the sidebar and it writes it to ~/Library/Preferences/com.apple.sidebarlists.plist. Not all users have the home folder in the same location, so the script will have to address this.
  Thanks

• Tiger clients will not mount home folder

  I'm doing the popular AD/OD integration (AFP548.com AD/OD v 2.1). Home folders will not auto mount.
  Authentication is working, single sign-on does not work, users have to login again when manually mounting the Users share on the XServe.
  Home folders are created in advance with a script using cp and chown. Directory Access is checked to get user home folder from Active Directory, localhome is diabled, protocol is afp.
  Sometimes a test user will mount, 99% of logins create local folder. There is a funny log that says cannot log /var/...user id is over 100000.
  It doesn't help that I'm ignorant on troubleshooting these issues.
  I'm not finding similar enough issues previously posted that could give me an idea of how to fix.

  Went with mobile accounts and having them sync at login/logout.

• Home folder for AD users?

  I'm upgrading the servers from 10.6.8 to 10.7.. am running some testing before i do the final upgrade, i have noticed something.. I couldn't assign home folder for Active directory users.. I'm running Mac OSX 10.7.2
  The Open Directory server is bound to Active directory server and when i open the Server app, and under users.. I clicked on + sign to add users and select the type as "imported user from another directory".. I can see all the active directory users and i can import them but then it doesn't allow me to create home folder for them.. while it works fine for the open directory users..
  This what perfectly working under 10.6.8 but not under 10.7.2, unless there is a work around that I dont know about..
  Any idea ?

  Hi,
  Could still do with trying to work out if this is possible. If anyone has any ideas / suggestions it would be much appreciated.
  Cheers,
  LSDWho

• 10.4.6 and Active Directory Problem - Volume cannot be found??

  I have bound six 10.4.6 to active directory. All went sweet with no problems. I have "force local home folder" off in Directory Access for AD. I can login to the Mac no problem using any user account from AD. If I login with a user the first time all goes well. The desktop icons show and the home directory is that of the users network home folder and can browse it. All good until I log out and login again. I get the desktop icons but the users home directory give the error "The Volume for %username% Cannot be found" when trying to access. I can browse the network to the user home folder without having to authenticate. The server (2003) shows no login errors, all looks fine. I have upgraded one Mac to 10.4.7 but made no differnce.
  I have installed "services for Mac and Appletalk" on the server but from what I have been told this shouldn't need to be installed but I did as I was getting no where anyway.
  Any ideas?
  PowerPC   Mac OS X (10.4.6)  

  Hi Chris!
  Before I comment, I want to define a couple of things. A "Mac home folder" stores a user's files (Documents, Library, etc.). This home folder can be stored locally on the workstation or it can be stored on a server. A "Windows home folder" is defined in a user's Active Directory account and can be used as the Mac home folder or simply as a network user folder for storage.
  While the idea of a network-based Mac home folder is nice, it can be clunky simply because the entire user experience is dependent on network speed and/or good file synchronization between your server and workstation. As someone who works in a group supporting about 300 Macs, I suggest enabling local home folders and not using a network-based Mac home folder.
  Next, File Services for Macintosh (AFP protocol) built into Windows Server will not support network-based Mac home folders. This is a dead end. You can install a third party product from Group Logic called ExtremeZ-IP, which does support network-based home folders over AFP.
  Therefore, what's happening in your network is that the network-based Mac home folders are being mounted via the SMB protocol, which uses Windows style file sharing. SMB in Mac OS X is good for limited use but I wouldn't recommend it for extensive use, which would include network-based Mac home folders.
  Here's what I suggest for your AD settings: 1.) Enable local home folders. 2.) Connect via SMB. This will keep your users' Mac home folders local to the machine but if their Windows network home folder is properly defined in their AD account settings then these should automatically mount on the Desktop via SMB at login.
  If you can get your Windows home folders to mount automtically on the users' Desktops then you can experiment with synchronization. After logging in, each user can visit Apple menu --> System Preferences... --> Accounts and the synchronization options will be available. A user can synchronize all or part of his local Mac home folder to his mounted Windows home folder.
  Hope this helps! bill
  1 GHz Powerbook G4   Mac OS X (10.4.7)  

• Mobile Account and Active Directory home folder

  We install a XServe server (Mac OS X 10.6.3). We join it to Active Directory for authentification and Open Directory for policy. I read the magic triangle on the web.
  I mount a MacBook Pro with Mac OS X 10.6. I join it to AD and after to OD. When I configure an account to be mobile, the home folder configure in AD stop to mount automatically. If the account is not mobile the home folder mount correctly.
  Somebody has an idea of waht happen?

  Hello, sifeduc, and welcome to the AppleBoards,
  This really seems like a Directory Services question and is probably best suited to this board: http://discussions.apple.com/forum.jspa?forumID=1353
  That being said are you talking about Portable Home Directories? If so PHDs should be created on the server first and on the client second. If you have a client account you want to sync to the OD you need to delete the client account - *but leave it in place* - create a server account and then use the local account which will then sync to the server. The steps for this are a little more complicated than that but not much.
  Good Luck,
  =Tod

• Active Directory Integration and home folder mounting

  Hello,
  I've set up a G4 tower with Tiger 10.4.4 and bound it to our AD domain. Authentication works perfectly, however the home directories of the users (on smb shares on windows servers) do not mount consistently. At first I thought that it was working for administrative users but not for regular users, but one of our test accounts which has no admin priv's works perfectly. It does seem to work consistently for admins, though.
  Most regular users are given a local home directory. Has anyone seen this? Any thoughts? Is there any particular log file that I might check for clues?
  I'll try get in a little later to post the output of dsconfigad -show , which might help...
  Anyhow any help will be appreciated..... thanks!
  -Jonathan

  I have been working on doing this as well. If I set the 'mount home directoy' property in the user in Active Directory Users and Computers it has worked for all users and I did not have to specify anything in the AD connector on the Macs.
  Robert

• Home Folder Creation w/Active Directory

  If this has been asked a million times, just point me to the url for the answer...
  I have done the leg work and have the "magic triangle" working - I can login and auth to AD and get my preferences from OD. I want our user's home folders to reside on our Windows server. I have shared out \\server\students on the Windows server and in AD I am pointing their home folder to our Windows server, but I can't get the permissions right. When I point a new user's home folder in AD to our Windows server, it creates the folder \\server\students\jtest.
  When the user logs in, none of the subfolders are created. Can someone give me some pointers on how permissions need to be set so the subfolders are created on first login?
  This is all pretty new and I'm happy that I got the triangle to work - if I can get this all important piece, I'll be set.
  Thx in advance!

  Hi
  A lot of this depends on how many OUs you have; how deep they go; and how many directories you have nested in each OU or the particular OU the directory for home folder creation is within. The accepted 'recommendation' is not more than 3 deep - generally. Having said that I have made it work with OUs 7-10 deep. Gets trickier after that.
  In my experience the non-creation of expected directories is generally down to permissions not being assigned properly - as you've guessed. Essentially users must be given read/write access all the way down the nested directories. I have seen permissions assigned correctly to a parent folder, with a set of different permissions applied to the next folder down and the next one along again with the correct permissions applied. Folder creation fails when permissions are set in this way.
  What is interesting is the log-in does not fail though you are greeted with the usual "the home folder exists on an SMB or AFP Server etc" dialog box when getting to the desktop. You sometimes get this at the log-in window as well. Although you can also see the message for other reasons - usually down to poor DNS configuration.
  You should be able to log in as the local admin and look at the system.log in Console. You should see an error starting with 'NSurl etc etc. . . ' listed. If you do that's an indication it's a permissions problem.
  Beyond this and without being there it's difficult to tell?
  Hope this helps, Tony

• EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

  This is for information to help others
  KEYWORDS:
    - Sharing EFS encrypted files over a personal lan wlan wifi ap network
    - Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
    - transfer encryption keys / certificates
    - set trusted delegation for user + computer for EFS encrypted files via
  Kerberos
    - Windows Active Directory vs network file share
    - Setting up WinDAV server on Windows 7 Pro / Ultimate
  It has been a long painful road to discover this information.
  I hope sharing it helps you.
  Using EFS on Windows 7 pro / ultimate is easy and works great. See
  here and
  here
  So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
  HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
  won't work (unless you follow below steps).
  Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
  Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
  Why such a EFS drama when a network is involved?
  Assume a home peer-to-peer network with 2pc:  \\fileserver  and  \\clientpc
  When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
  another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
  (on behalf of the clienpc's data request).
  This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
  file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
  Solutions
  There are two main approaches to solve this:
       1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
            EFS operations occur on the computer storing the files.
            EFS files are decrypted then transmitted in plaintext to the client's computer
            This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
       2) SOLVE by setting up WebDAV (efs files accessed through web folders)
             EFS operations occur on the client's local computer
             EFS files remain encrypted during transmission to the client's local computer where it is decrypted
             This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
             BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
           READ BELOW as this does
  Create new encrypted file / folder on a network file share - via Active Directory
  It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
  here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
  and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
  Although this info is NOT for setting up EFS on an active directory domain [server],
  for those interested here is the gist:
  Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
  account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
  EFS.
  NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
  Create new encrypted file / folder on a network file share - via WebDAV
  For home users it is possible to make it all work.
  Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
  Setting up a wifi AP (for those less technical):
     a) START ... CMD
     b) type (no quotes): "netsh  wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
     c) type (no quotes): "netsh  wlan start hostednetwork"
  Set up a WebDAV server on Windows 7 Pro / Ultimate
  -----ON THE FILESERVER------
     1  click START and type "Turn Windows Features On or Off" and open the link
         a) scroll down to "Internet Information Services" and expand it.
         b) put a tick in: "Web Management Tools" \ "IIS Management Console"
         c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
         d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
         e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
         f) click ok
         g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
  KB892211 here ONLY for XP + Server 2003 (made in 2005)
  KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
    2 Click START and type "Internet Information Services (IIS) Manager"
    3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Enable WebDAV"
    4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
         a) on the "Anonymous Authentication" and click "Disable"
         b) on the "Windows Authentication" and click "Enable"
        NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
          It can be by changing registry key:
             [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
             BasicAuthLevel=2
         c) on the "Windows Authentication" click "Advanced Settings"
             set Extended Protection to "Required"
         NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
    5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Add Allow Rule"
         b) set this to "all users". This will control who can view the "Default Site" through a web browser
         NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
  clientpc.
         NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
    6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
         a) on the right side, under Actions, click "Enable"
  HOTFIX - double escaping
    7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
         a) on the right side, under Actions, click "Edit Feature Settings"
         b) tick the box "Allow double escaping"
       *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
       These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
       This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
  file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
    8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
         a) set the Alias to something sensible eg "D_Drive", set the physical path
         b) it is essential you click "connect as" and set
  this to a local user (on fileserver),
         if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
               NB: the user account selected here must have the required EFS certificates installed.
                          See
  here and
  here
          NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
        This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
         The work around is on the \\fileserver create an NTFS symbollic link
            e.g. to share the entire contents of "D:\",
                  on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                  in cmd in this folder create an NTFS symbolic link to "D:\"
                  so in cmd type "cd c:\inetpub\wwwroot"
                  then in cmd type "mklink /D D_Drive D:\"
          NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
           NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
  clientpc
    9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
         a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
         b) if some exist review existing allow or deny.
             Take care to not only review the "allow access to" settings
             but also review "permissions" (read/write/source)
         NB: this can be set here for all added virtual directories, or can be set under each virtual directory
    10 Open your firewall software and/or your router. Make an exception for port 80 and 443
         a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
               choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
            NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
  below, specifically "Cant find server due to network location"
         b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
  HOTFIX - MAJOR ISSUE - fix KB959439
    11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
        a) On Windows 7 you need only change one tiny registry value:
             - click START, type "regedit", open link
             -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
             -on the EDIT menu click NEW, then click DWORD Value
             -Type "DisableEFSOnWebDav" to name it (no speech marks)
             -on the EDIT menu, click MODIFY, type 1, then click OK 
             -You MUST now restart this computer for the registry change to take effect.
        b) On Windows Server 2008 / Vista / XP you'll FIRST need to
  download Windows6.0-KB959439 here. Then do the above step.
           NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
    12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
              It should show the default "IIS7" image.
              If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"           
          c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                  e.g. http://localhost/D_drive
              If nothing is listed, check "Directory Browsing" is enabled
    13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
                eg if your server's computer name is "fileserver" go to "http://fileserver:80"
                It should show the default "IIS7" image. If not, check firewall and port blocking. 
                Any issue ie if (12) works but (13) doesn't,  will indicate a possible firewall issue or router port blocking issue.
         c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
                 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
                 A directory listing of files should appear.
  --- ON EACH CLIENT ----
  HOTFIX - improve upload + download speeds
    14 Click START and type "Internet Options" and open the link
          a) click the "Connections" tab at the top
          b) click the "LAN Settings" button at the bottom right
          c) untick "Automatically detect settings"
  HOTFIX - remove 50mb file limit
    15 On Windows 7 you need only change one tiny registry value:
        a) click START, type "regedit", open link
        b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
         c) click on "FileSizeLimitInBytes"
         d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
  HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
   16 On each clientpc click START, type "Internet Options" and open it
           a) click on "Security" (top) and then "Custom level" (bottom)
           b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
           SUCH an easy fix. SUCH an annoying problem on a clientpc
     NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
  explorer.
  TEST SETUP
    17 On the client use the normal "map network drive"
              e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
              e.g. CMD: net use * "http://fileserver:80/C_drive"
           If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
  "manage network passwords") has NTFS permissions.
    18 Test that EFS is now working over the network
         a) On a clientpc, map network drive to http://fileserver/
         b) navigate to a folder you know on the \\flieserver is encrypted with EFS
         c) create a new folder, create a new file.
             IF it throws an error, check carefully you mapped to the WebDAV and not file share
                i.e. mapped to "http://fileserver" not "\\fileserver"
             Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
  account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
         d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
         e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
  clientpc decrypted it then copied it).
          If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
          If this is not readable check step (11) and that you restarted the \\fileserver computer.
    19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
        a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
              If a prompt for user+pass then check hotfix (16)
    20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
        a) see the last comment at the very bottom of
  this page: 
  Points to consider:
     - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
  either.
    - CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
  MORE INFO: HOTFIX: RAW DATA TRANSFERS
  More info on step (11) above.
  Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
  it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
  Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
  Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
  Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
  file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
  There is a fix:
        It is implimented above, see (11) above
        Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
  Other problems + fixes
    PROBLEM: Can't find server due to network location.
       This one took me a long time to track down to "network location".
       Win 7 uses network locations "Home" / "Work" / "Public".
       If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
       This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
       FIX = either set IP address manually and specify a gateway
       FIX = or  force "unidentified" network locations to assume "home" or "work" settings -
  read here or
  here
       FIX = or  change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
  login to gain file access.
    PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
         By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
        Read
  here (i've posted a batch script to automatically make the required reg files)
  I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

  What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

• Active Directory Authentication, AFP Home Folders in the wrong place!

  Hi,
  I've had this problem off and on... that is, it comes and goes, so I'm not really able to effectively troubleshoot it. My setup is this:
  -Xserve G5, Mac OS X Server 10.4.7
  -OD Master bound to AD for authentication
  -Hosts AFP and SMB shares, all stored on Xserve RAID
  On the RAID, I have a folder called Users (/Volumes/XserveRAID/Users) that is shared via AFP. The system Users folder (/Users) is not shared. In fact, nothing at all on the root drive is shared. All share points are on /Volumes/XserveRAID/. All Mac users' home directory profiles are pointed to \\servername\Users\username (in Active Directory Users and Computers application on our domain controller). Their home directories mount automatically when they log into their client machines (also bound to AD).
  The problem is this; at seemingly random times, a user's home folder will all of a sudden be created in /Users on the server, and it will not use the /Volumes/XserveRAID/Users/ folder. I will clean out /Users every now and again, but the errant home folders show back up. The only folder that should be in /Users is the local admin.
  Since /Users is not even shared, how is it doing this? Why is it that sometimes the /Volumes/XserveRAID/Users share is used (I know this because there are users' files in their folders in the proper place) and sometimes it's going to /Users? Any ideas? Thanks in advance!!
  Going slightly mad,
  Jason

  Hi there,
  Just wanted to share my make-due solution.
  I have setup the automount sharepoint at "/Data/Home".
  When I logged in or tried to use createhomedir in terminal, nothing happened but users could login (even though there was no home folder on the sharepoint for them).
  I have created the Home Folders manually "/Data/Home/username" and then logged in again. When I did this it created two folders in the home dir:
  -Desktop
  -Library
  The other icons related to the home dir on the Dock remain big "?" 's.
  So I manually added them and assigned them the propper rights.
  Now users can log in without any problems, network home folders are working.
  So essentially I got thing s to work, luckily I have only a hand full of Mac Users, Imagine having a user base in the hundreds !
  Thinking about this really makes me want to know how I can fix this problem, I have a make shift solution but this really isn't the way to go. When I use the createhomedir command, it says "creating homedir on servername.domain.net" and it seems to be busy for like 20 - 30 secs, but after that nothing has changed.
  I've checked all possible locations on the server (i thought maybe it might have made local accounts on server by accident, but it didn't.)
  If anyone has ANY idea, please share.
  Thx!!
  Have a nice day

• Use UNC path from Active Directory to derive network home location

  Good Morning
  I am trying to get my Macbooks to conenct to a Windows Server 2003 home directory. I have followed the steps in the following article with no luck:
  http://docs.info.apple.com/article.html?path=serveradmin/10.4/en/c7od49.html
  I can bind to the Microsoft Active Directory with no problems and I can connect to the file share on the server that I want to make the network home location, but I can't get it to work automatically as I would expect it to.
  We will have hundreds of users connecting that will need their home folders redirected to the network folder location.
  Any help would be appreciated.
  Thanks

  I forgot to mention that before upgrading to 10.8.4 the login item below was present:
  Item: SMB://network path
  Kind: Unknown
  After the upgrade:
  Item: Unknown
  Kind: Unknown
  After restart it disappears and never returns (again, this only occurs for admins)

• 10.6 home directory mounting with active directory and open directory integration

  Hi guys i am having some issues in my new mac environment. I have a windows network with an server 2008 active directory. I have just recentlly created a "magic triangle" setup with active directory and open directory. When my users login via windows their home folders mount perfect. When any user logs in to any iMac in the building it does not work. They login perfectly fine, but their home folders do not mount. When i try mounting them manually with smb, i get a prompt for credentials. I am thinking this is my issue, my Single sign on with kerbos is working but for some reason is not logging in correctly. If i type in my credentials with my domain first then my name it works.
  For example DOMAIN\jsmith works, but the way i think the mac and active directory is doing it now is just jsmith without the DOMAIN.
  I feel like this is the problem with the home folders not mounting.
  Can anyone provide some help with this?
  Thanks,
  Dani

  Hi dani190,
  are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
  If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
  For the contact search path, did you put the AD at the top the list? (in directory utility)
  Did you set the WINS work group on your client computer to your domain?
  ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

• Active Directory authentication, OS X network homes on Xserve

  Hi
  I'm looking for a general guide/tips for our deployment of OS X in our Windows network.
  Everyone in our institution has an Active Directory account.
  We also have an Xserve 10.4.4 running as an OD Master with 400 accounts for people who use Macs. It shares out OS X network home folders for these accounts. This means these people have a seperate AD and OD account.
  We aim to get these users authenticating with AD on the Macs and seeing a network home that will ultimately be a combination of an OS X folder (Public, Sites) and a Windows folder (My documents etc.)
  We can backup the data in their existing OS X home folders for them to pull into the new homes that will be created for them through AD authentication.
  We can successfully bind the Xserve and client Macs to AD. We have a group of AD users in WGM. MCX preferences are enforced at computer level.
  The big questions are:
  How do we tackle the mapping of a (OS X/Windows combo) home folder stored on the Xserve for new Active Directory accounts when they are created?
  What could we do with AD/OD current users existing Active Directory folders when they start to use AD to authenticate on the Macs (current OS X home data will be backed up and pulled in to new OS X accounts later) ?
  Do we definately need Kerberos running on the Windows server ?
  What would happen to an existing AD/Windows-only user with a Windows folder mapped to an SMB/Windows server share if they authenticated to OS X for the first time - local home creation (default/forced) ?
  Any advice appreciated - we have Windows/Mac people working in harmony here and we're close to what we want!
  Many Thanks

  Try this (on the client computer):
  Login locally using a user with administrator privileges.
  Connect to your office's wireless network, save the credentials, and then make sure you check the "Connect automatically" checkbox.
  Open a command prompt window and type the following command to find the profile name of your wireless network: netsh
  wlan show profiles
  Let's say the profile to use in the example is "office-network". Open regedit and
  look for the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Create a new String Value (REG_SZ) at that location, and name it anything you want (i.e. WIFI_Connect), and enter the following command string: %comspec%
  /c netsh wlan connect name="<profile name>" where profile name in our example would be "office-network".
  Reboot the laptop for this to take effect.
  If it still doesn't work or fails to connect to your office network at pre-logon, try enabling the following Local Group Policy (using gpedit.msc): Computer
  Configuration\Policies\Administrative templates\System\Logon\Always wait for the network at computer startup and logon.
  These step still require the wireless network to be your domain network as Windows can only Cache 50 credentials maximum.
  Don't forget to mark the post that solved your issue as &quot;Answered.&quot; By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• Home Directory on Active Directory

  I am attempting to have the OS X users upon logging in, gain automatic access to their home directory in my W2K server. As an example, when I log in via the "Other" user, my home folder from the W2K server becomes my Home directory. All the necessary files from OS X seem to be resident in my W2K home directory so if I go to the Home item under the Go menu, that is the folder that appears. No local Home directory was/is created on the local machine. I am trying to have it so that all users work this way. If I try to log on as any other user including another Administrative user, the same does not occur, a local Home directory is always created and I must log onto the server through the Go menu to get the Home Directory. I cannot seem to find anything different with the settings on either the W2K server's Active Directory User Properties or in the Directory Access settings. So, in a nutshell, what do I need to do to make this work the way I'd like.
  Thank you in advance for any assistance.

  Sounds good but there are only two local users on the units I've played with and they do not match the AD username. I have attempted this with various users with varying levels of authority without finding the common thread yet. I've come to the conclusion that it has something more to do with permissions and/or settings on the AD or server volume rather than an OS X issue. Still working on it though so any assistance is welcome. Thanks.