"I'm a Mac" in an Active Directory World . . .

Similar Messages

• Add a mac to an active directory group using a script?

  I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
  Thanks in advance...

  I think I misunderstood your question.  If you are trying to add the computer record to a location other than the Computers container, then just change your binding script to target the folder you want.  Remember that the user account you are using to bind must have access rights to this folder.
  For example, the sample command from the man page shows you how.  Say you have a subfolder inside Computers called Macs.  You would do this in your binding script.  Note the notation of an organizational unit within the Computers container.
  dsconfigad -a ThisComputer -u "administrator"
  - ou "CN=Computers,OU=Macs,DC=ads,DC=demo,DC=com" -domain domain.ads.apple.com
  Is that what you are looking to do?

• Setting disk quota on Mac server for Active Directory users

  I'm having trouble setting disk quotas for Active Directory users with home folders on our Mac server.
  I've enabled disk quotas on the disk I'm putting home folders on, and I can set disk quotas for local users on the server just fine. But it doesn't seem to work for Active Directory users. I've tried setting disk quotas via Workgroup Manager and via the command line using edquota. But when I use the repquota command there is no quota entry for the AD user. I've run quotacheck and that didn't help either.
  I also understand there's a setquota command but there's no man page on how that works.
  Has anyone got disk quota for AD users working.
  Better still has someone got a shell or perl script for setting quotas they could post.
  Thanks
  - Cameron

  sorry.. I am soooooo stupid... I have to activate "File Sharing" as well.. for the user everything was already pre-activated, not for the AD users, I just saw the Time Machine checkbox grayed out ...

• Mac Bound to Active Directory won't let users download

  Good Morning,
  We have a handful of Macs running in a Windows 2008 server environment bound to AD.  When our users log in they cannot download any type of file.  This is an issue as most of our users are students trying to download their school work from email.  It comes up with the error that the Disk is full and cannot save the file.  This is the case for any type of folder.  Any help would be helpful.

  I have found that my domain users have not rights to any of the local folders, such as Documents, Downloads etc. When you look at the sharing and permissions of the folder it says Everyone with No Access.  Even after chaging this logged in as the local administrator for the machine I still can not get it to work.  Anybody ever seen this issue before?
  Thanks

• How to set permissions on a file for a Mac without active Directory

  We don't have our Macs in the Active Directory, we are looking to share an external hard drive to only Macs and not the Windows PC's on the network with out using active directory. I have tested sharing the external hard drive from a PC to everyone and both the PC's and Macs can access this, but we only want the Macs to see this and access this and not everyone. There is no selection for sharing with the computer name in the Share permissions so the only way to do this is to share it to everyone. The Mac accounts are local to the Macs and the PC's are on Active Directory so what i need to do is have a way to share this folder with only Macs and not all the windows PC's. Any solutions, any ideas will help
  Thanks

  hi
  good
  go through these links
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b9/b4de3f68d48f15e10000000a155106/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/be/0de03f41b9eb06e10000000a1550b0/content.htm
  thanks
  mrutyun

• How to change password in Active Directory from a Mac

  When loggin into Active Directory I can enter my password without a problem, but I am required to change it periodically and I can't see an option for changing the password. Does anyone have experience with this on their Mac when accessing Active Directory?
  Thanks

  In the accounts section of system preferences there should be a Change Password… button next to to your account picture. That's how we do it in Tiger, but it should work in Leopard too.

• Mac OS X and Active Directory

  An interesting problem that has been in effect for what must be years now.
  I'm a student troubleshooter at a college. We have a mostly Windows based campus, but we do have a nice share of Macs as well.
  For logging in, our Macs authenticate through Active Directory.
  However, we have several domains on the network, and that presents a problem.
  While the Macs are bound to the top level domain, it has become apparant that if a user account exists in two lower level domains, the Mac will not log in.
  For example, I have two accounts with the same username in password in two domains. Because the short name is the same in both accounts, the Mac does not know which to login and refuses entry, even if the domain is specified at login.
  I was wondering if this was a known issue and if any workarounds exist (other than deleting one of the accounts).

  you can use it off the domain as well but only if there is a local account by the same name. But ofcourse if you have a local account by the same name then that will tak precedence even if you are bound to AD.
  I dont know about the booting problems unless it was somehow related to the previous statement. I havent had any issues with my trouble except lock up of the print menu if you have printers installed from the directory.

• What Is The Domain Name System for Active Directory on My Computer a Mac OS X

  When I try to bind my mac to an active directory domain I get the error message (“An invalid Domain and Forest combination was specified.  You should enter a fully qualified DNS name for the domain and forest”). I have tried so many things,nothing works
  Any suggestions?

  In general, the domain name you use must be correctly looked up (both backward AND forward) by the Domain Name Server you are using or using Active Directory or Open Directory will not work properly.
  In general, the first-listed DNS Address for each workstation must be one that contains the Active Directory or Open Directory names.
  You can use Network Utility "Lookup" function to test whether the names and the IP Addresses are looked up correctly. Both symbolic (e.g., mydomain.com) and numeric (e.g., 192.168.2.22) addresses of the Active directory server MUST lookup to the other.
  In MacOS X Server installations with private, non-Internet-visible Domain names, this problem can be solved by providing a local DNS Server, and populating the DNS Server with the Active Directory or Open Directory names and IP Addresses set for forward and reverse lookup.
  If the above is gibberish to you, you will need to contact your Active Directory Administrator for guidance.

• Active Directory - Authentication Problem

  Hi Guys,
  I'm seeing something really weird in my Environment.
  For example, we have two users as example below in our Active Directory:
  jonesp - Paul Jones
  jonesph - Phillip Jones
  These users can't login into any Mac connected in Active Directory, on PCs the login goes fine.
  But when I renamed the login jonesp to jonespa, both users can login in the Macs.
  Anyone have this issue too? There is a KB telling about this behavior?
  This happens on Macs running 10.7.* and 10.8.*.
  Thanks

  Sorry CT,
  The problem isn't with Active Directory, this only happens on Macs.
  The problem doesn't happens with Windows and Linux, only on Macs.
  Anyway thanks for your help.
  Regards

• Active Directory & Keychain Password Sync

  We've been introducing some Macs into our Active Directory environment and I'm a little confused about how best to handle the local Keychain password.  We're joining systems to the domain so that users can use their network password to login to their Macs (accounts are setup as Admin, Managed, Mobile) and so far that is working great.
  It's my understanding that the password on the default login keychain is set automatically when the user account is created, so it would match the password the user first used to login to the Mac.  However, we have a password expiration policy here, so users are changing their passwords at least every 3 months. As I understand it, by default the login keychain password is static, so I'm concerned that users are going to either forget the keychain password, or assume it is the same as their network password, and be unable to unlock the keychain should they even be prompted.
  I've tried enabling the "synchronize login keychain password with account" setting in Keychain Access, but this causes another issue.  When the user changes their network password, the next time they login to the Mac they receive a Keychain prompt asking them to enter their old keychain password in order to keep the keychain pass in sync.
  Is there any way to keep the keychain password synchronized to a user's AD account password without prompting them at all?  Or is their an accepted "best practice" regarding the keychain in active directory?
  Thanks

  I've also written a blog post about this Topic:
  http://sccmfaq.wordpress.com/2014/01/23/azure-directory-sync-initial-configuration/
  www.sccmfaq.ch

• Re: Active Directory Login to Windows 2000 Server

  Continuing http://discussions.apple.com/thread.jspa?threadID=1277356&tstart=0
  So we were able to bind the Mac to the Active Directory Domain once the PC admins created an ID for the computer in their "forest". However the user doesn't have access to all the directories that she does from her PC.
  The AD admin keeps saying the we need to "Map to the share" - Yes, he's from the past!
  So the user on the PC side belongs to a groups called "torcomreg" that seems to give her access from the PC. She can access every other area except for the "Departments" share. (we can see Departments and open it - but we see nothing inside).
  Does anyone know how to use "Mappings" and what does "Map UID to attribute:" mean? Are we supposed to enter a UID for this user, or the ID of the shared attribute? How do we get this person access to the directory or the group membership - I'm convinced that this needs to be done on the AD server - but I don't know the verbiage that the admin needs from us.
  Thanks in advance - taking over the enterprise on Mac at a time - literally in this case.

  You can write an applescript to mount the appropriate shares, then compile the script as an executable.
  Make executable script a login item for the user.
  It's been a long time since I wrote the script, so I can't recall the exact syntax, but it goes to the effect of
  tell application "finder"
  begin tell
  mount "smb://server/share"
  end tell
  repeat for each share.

• Managed users with Active Directory?

  Hi guys
  I was wondering if any of you can help me out. I'm looking to get a OS X Server 10.4 to act as a managed user server, with all the pros of Open Directory (ie Finder restrictions etc) and user home directories on the Xserve's HD, but to authenticate through a Windows 2003 Active Directory Server.
  I have been reading a number of sites and there seams to be two ways to do it.
  1) Bind the Xserve and the client Macs to the Active Directory and then on the PC server specify the home folders as a share point on the Xserve. Ie \\Xserve\Users\Tom
  This way the Xserve is basically a file server.
  2) And I'm cutting this story short because I've only briefly read this one. But you can set the Xserve as an Open Directory master, some how import the users and then remove the directory master roll.
  I really need to be able to have the usernames and passwords live from the Windows Server due to passwords being changed every 30 days blah blah blah so I guess point 2 is out of the question.
  To be honest a yay or nay to the above would be a good start, could obviously save a lot of wasted time, but if anyone can recommend me a website or a pdf that will walk me through it.
  I've managed to get my laptop to authenticate to AD but cant get the home directories to work. Every time I log in with a user account it creates it locally on my HD. I do not have "Force local home directory" checked. I guess I need to configure LDAP to the AD server as well? I gave it a go an managed to get Address Book pulling users and emails from the AD sever. I then preformed a lookupd lookup on a user bob and found that the home directory was set to /Users/bob even though on my AD server I've set it to \\Xserve\Users\bob is this something I'm doing wrong with LDAP? If thats all it is I'll be able to get point 1 above working and it will all be good.
  I hope I've made this clear enough for someone to be able to help me.
  Thanks in advance for any help you might be able to give me.
  Tom
  1.25GHz PowerBook G4   Mac OS X (10.4.4)  

  With an OD master you could manage your clients at the group and computer list level.
  So when you setup the user's profile in AD, you mapped a network drive and provided the UNC path \\Xserver\Users\bob. You did bind the OD Master with the name Xserve? Also, by default it will use smb to connect, which you can change to afp instead in the AD plugin. smb will not create the home folder for you. You could try to create the home folder yourself in advance. (sudo createhomedir -a may do the trick)
  For troubleshooting purposes, you could create a share on the AD server and adjust the user's profile to point to it instead of the OD Master. Try and login and see what you get.

• Migrate local OS X profile to Active Directory account

  I need to add our MACs to our Active Directory domain.
  How do I go about migrating their settings, preferences, and files to the new AD account?
  On my test system, when I signed on, it created a new profile and everything had to be reconfigured.
  How can I prevent this?

  Oh good! Its not just me....
  I raised this issue months ago when the version changed to 10.6.x and was told by Apple Lion would fix it...
  It didnt, it fact it made it work... the version of Snow Leopard on the mac mini worked perfectly!
  I have had mixed results so far... Initially binding to my 2008 mixed mode domain only worked if we specificed a specific Domain Controller and that has worked with a number of machines, our initial fleet of 5 machines for instance
  A few weeks ago my lion client was rebooted and on power up it ahd lost its domain binding and nothing would work to get it back on. Im now stuck using a mobile account version of my account...
  My new Lion Server just arrived and im following the same procedure and it doesn't work either giving me fairly generic error messages like the one you initially mentioned that leave me confused... In the middle of this project we upraded to 2008 DCs but are still running in 2000 mode...
  We are looking at swapping to mac hard ware for our client base and if this issue isnt resolved I cannot move forward; joining a domain is step 1 of a Windows Install usually...
  Thanks
  Andrew

• Open Directory Active Directory users want to know Is there a method?

  Help
  Open Directory Active Directory users want to know Is there a method?
  Or can I make the Active Directory users to share on the Open Directory.
  My goal is to use our school Mac computers with SSO

  If I understand your question correctly, using Active Directory with OSX, there are a few ways this can be accomplished.
  One way is by joining each Mac directly to Active Directory. This doesn't take advantage of the additional managed preference available to OSX, but does allow AD users to authenticate on OSX. On each machine, one would open System Preferences > Accounts > Login Options > Click Join next to Network Account Server. Follow the prompts and provide the domain name of your Active Directory deployment to join the system.
  Another method is to follow the steps above, but only after extending the Active Directory Schema to support the OSX-specific managed preferences. It's a mostly harmless operation and means that you'll have a single administration interface for both OSX and Windows systems. The AD Schema information is available from Apple Support, but may also be readily available on the Internet.
  Because our Windows team preferred to not change our AD schema any more than we already had, we used a different method. We created an Open Directory Master on one of our OSX servers, then we joined it as a member server to Active Directory. Next, we join all of our OSX workstations and laptops as members to the Open Directory domain instead of to Active Directory.  This way, SSO still works.  New user accounts are added to Active Directory and all managed preferences for OSX can be managed through the native OSX Workgroup Manager tool.
  I think there are some instructions in the User Management PDF (Mac OS X Server, User Management, Version 10.6 Snow Leopard) or in the Advanced Server Admin PDF (Mac OS X Server, Advanced Server Administration, Version 10.6 Snow Leopard) but not completely certain. This page might have the docs.

• Active Directory Mobile Account not working

  Hello all. I've successfully joined a few macs to an Active Directory domain. However, I have a laptop that needs to be able to authenticate even when away from the network. The "Create Mobile Account" checkbox seems perfect for the job. From my reading, it seems that it is supposed to cache login authentication info from network login users. Then when the computer doesn't have a network connection, it uses the cached credentials. Upon 1st login it asks if I want to create a mobile account, and I say yes. However, it doesn't work accross a reboot.
  If I reboot the computer without an network connection, and then try to authenticate at the login screen with my network user, the password field "shakes" as if I got it wrong.
  However, I know it is sorta working because if I type >console into the user field, I get dumped to the console, where I can successfully login using the network user's credentials. Even without a network connection. But not from the gui login screen.
  Any ideas?
  Thanks!

  Abbas,
  You can find active directory synchronization option under PWA settings >> Operation Policies
  1.In Project Web App, click the Settings icon, and then click Project Web App Settings.
  2.On the Project Web App Server Settings page, in the Operational Policies section, click Active Directory Resource Pool Synchronization
  3. On this page, you need to enter the Active directory Group which contains the users you want to sync and then click on save and synchronize.
  You can check the status of the Enterprise Resource Pool synchronization by returning to the Active Directory Enterprise Resource Pool Synchronization page and reviewing the information in the
  Synchronization Status section. It contains information such as when the last successful synchronization occurred.  If last synchronization failed for any reason, it will also post a timestamp of when it occurred if you wanted to search
  for more information in the ULS logs.
  Let us know the results.
  You can find more information on AD sync at
  http://technet.microsoft.com/en-us/library/gg982985(v=office.15).aspx
  Thank you,
  Kiran K.