Mac - Active Directory limitations?

Similar Messages

• How to setup Wireless Clients MAC+Active Directory based acess

  Dear Gents,
  I want to setup Wireless Clients MAC+Active Directory based acess on AP 1242 standalone Wireless series .
  Steps i have configured :
  1) SSID manger  under Open authentication : Selected with EAP.
  2) under advacned Radius : s
  MAC Address  Authentication
  MAC Addresses Authenticated by:
  Authentication Server Only
  3) Server Manger : Current server list
  added the radius ip address 10.1.200.x
  EAP  Authentication
  MAC  Authentication
  Accounting
  Priority  1:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  1: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  1: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  2:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  2:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  2:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  3:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  3:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  Priority  3: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
  From ACS - Radius  we have choose a Group x( named as Mac-address group )
  All the wireless Client ( laptops ) mac-address are added as add username option and enter username
  as mac-address & enter the mac-address as pwd second option of password TAB.

  Hi Akber,
  I think you didnt understood what i was trying to say here :-( No problem..I will explain my theory again.Your requirment is to autheticate user from ACS internal database (you have already added the MAC address as the username on your ACS internal database) as well as from ACS external database (in your case this is AD).
  What i was saying is when when authetication request comes to raidus server it checks its internal database and if it find a valid username and password (here it will the MAC address and password which you have entered to the ACS database) the ACS will not query the external database (in your case the AD) for authetication.
  You can not have ACS to look in to both MAC and AD database at the same time.
  Hope this clears your doubt.
  Regards
  Najaf

• Mac on Windows network issues (Active Directory)....

  I have a couple of Macs on a Windows domain in the school I work in. I'm able to get them to bind to Active Directory and I can log in fine. However, this is where 2 of my problems start. Maybe its an OS X issue, maybe its a Windows Server issue. Both Macs are running Mac OS X.5.6.
  1. When everyone logs in they're supposed to get their own shared drive (referred to as their H drive). This drive does map, but in the Dock only. So I went to the Finder menu and selected Preferences and told Finder to display Connected Servers. It shows the network drive, but its not my H drive. Its the actual folder that my H drive is housed in. To kind of draw a picture here, my H drive is housed in cscsadmin as are other administrators and IT personnel. So when I log in using my username and password it will show my H drive in the dock and I can see all of items in that drive and on the desktop the cscsadmin drive is mapped instead of my H drive.
  If I login as lab it will log in fine, but show the lab shared drive (they don't get H drives) in the dock but show cscsteachers on the Desktop as thats where the lab share is located. So its not just limited to 1 particular user. This is a systemwide issue for the Macs only.
  Anyone have any ideas as to why it shows the folder that houses the shared drive instead of the users drive? I know this used to work fine because I've done it before, but that was back in the days of Mac OS X.3. Back then users H drives showed fine on the desktop.
  2. My other issue is that when I'm using one of the Macs on the network (remember its a Windows network primarily) every time someone goes to print it comes up and asks for a username and password. So prints always prompts for a username and password. This is causing issues because people are checking the save in keychain box so they don't have to type the password in every time and if they screw up their credentials it saves the wrong credentials and won't let the user print anything on that Mac. I need to figure out why printing always asks users for their credentials to print.

  There is a known bug with printing in that it doesn't cache the Kerberos credentials properly. So it requires you to reauthenticate every time.

• Binding MAC 9.X workstations to Windows 2003 Active Directory

  Hello all,
  Has anyone achieved sucess with adding/binding Mac 9.X workstations to Microsoft 2003 Active Directory? We have 25 iMAC 9.2.2 workstations (we cannot upgrade to MAC OS 10.X because of hardware limitations) on a Windows 2003 SP2 network. I know that it can work with MAC OS 10.X but looking for a OS 9.X solution.
  I want to be able to apply security, printer scripts for the MAC computers using the 2003 Active Directory.
  Thanks
  17" Powerbook G4   Mac OS X (10.4.4)   2 gb ram

  You don't need to do anything in AD other than create the user you want to log onto your Mac.
  http://www.makemacwork.com/bind-to-active-directory.htm

• Project Server 2010 - Active Directory Enterprise Resource Pool Synchronization limitations

  Greetings again.
  I have a quick question about the limitations of Active Directory Enterprise Resource Pool Synchronization.  Specifically, what has your experience
  been with extremely large numbers of users (10k plus).  Is anyone aware of a
  practical limit of users in your AD group you would recommend when using the
  Schedule Synchronization feature on a nightly or weekly basis?
  There is a caveat to this question however.  The client has decided (perhaps for some misinformed reasons) to allow access for every user, to every
  project site, within their PWA environment.  They’ve selected the View Project Site option within the
  Categories for the Team Members PWA Group for which 90% of their intended users reside.  So when we ran a couple test syncs in DEV with a smaller AD group of about 8,000 users, the sync understandably
  lasted upwards of 18 hours.  Obviously unacceptable for a PROD environment on a nightly basis and not necessarily ideal for a weekly sync either.
  Experience in addition to documents like these, “Best
  practices for managing a large number of resources in Project Server 2010” tell me that we are way over the practical limit of a scheduled resource pool synchronization...IF
  the client really desires that all users access all their sites.  But before I submit my recommendations, I wanted to check with the community just in case others may have found a way to synchronize large numbers of users (10k plus) on a nightly or weekly
  basis, within a reasonable time frame AND allowed all users to access all sites within PWA.
  What do you think?
  As always, thanks for your help.
  Chris Addis - MCTS

  Hello Hrishi.
  My delayed response has been due to a large amount of testing we have been performing on this particular topic.  Here is an update, please feel free to provide feedback.
  We went back to testing and spent more time reviewing the documents: 
  Best practices for managing a large number of resources in Project Server 2010 and
  SharePoint Server 2010 capacity management: Software boundaries and limits.  Our team interpreted those documents as saying, 1,000 security
  scopes per site is a recommended limit.  It does not say it’s a hard limit, just a recommended limit.  “When the recommended unique security scope boundaries are exceeded, performance issue can occur.”
  So we decided to perform some tests (31 in total) to try and get a gage of what we are seeing.
  We needed to establish a baseline first.  So we performed a series of 23 Active Directory Resource Pool Synchronizations with various settings in a clean, Out of the Box, environment in order to see some consistent numbers.  Here is it’s summary:
  Our AD group of 8,000 users took about 32 minutes, on average, every time to sync.  The difference between the first sync and last sync differed only by 1-3 minutes.
  Adding 40 project sites increased the average sync time from 32 to 120 minutes.
  Adding 100 users to each of those 40 project sites, did not increase the sync times.
  One setting (identified at this time) reduced the synchronization time.  It was the
  Project Site Permissions check box found within the Project Web App > Server Settings > Project Site Provisioning Settings area.  By deselecting this check box we reduced or synchronization time back to the 32 minute
  average.
  The View Project Site check box within the Project Web App > Server Settings > Manage Groups > Team Members group had no apparent effect on the sync times besides what we had gleaned from the Microsoft documentation.
  Naturally, this left us with a problem.  As I’m sure you know, by deselecting the check box (Project Site Permissions), our project sites are now (figuratively speaking) orphans with no connection to the parent site.  This generates
  a new set of issues.  For example:
  Newly created project sites cannot be accessed by the owner and team members.  They will require someone like the farm admin to come in behind them and add the intended users to the project site along with their required permissions.
  All current and futures sites will no longer have users added via the standard method of building a team and publishing the project, but will have to be added manually.
  You can use the Synchronize option found within Project Web App > Server Settings > Project Sites page, but that kinda defeats the purpose.  It would require constant updating on a per site basis to keep up with
  PM changes.  Not very sensible, but it does work.
  With this baseline information, we moved our tests into our DEV environment which somewhat mimics our PROD environment.  This environment has 352 project sites and we performed 8 tests.  This is where we had some large sync time numbers. 
  Here is the DEV test summary:
  With the Project Site Permissions check box cleared, our AD group of 8,000 users took on average 30 minutes to sync.  This was in line with our baseline times.  With the exception of one test sync that took 99 minutes to complete. 
  That anomaly is acquiescent with what I’ve seen over the years.  Sometimes syncs do some unusual things.
  With the Project Site Permissions check box selected, our AD group of 8,000 users took on average 690 minutes (11.5 hours) to sync.  Unacceptable of course.
  So here’s what we’ve learned when dealing with extremely large numbers of active directory users in your Resource Pool sync:
  We did not see a decrease in subsequent sync times after the initial Active Directory Resource Pool Synchronization as some might expect.
  Our attempt to decrease sync time via the option of removing the View Project Sites was not successful.  (Unless we interpreted Microsoft's document incorrectly.)
  However, our interpretation of the recommended software boundaries and limits of SharePoint Server 2010 as it pertains to security scopes per site at 1,000, appears to be correct.
  Using the option of clearing the Project Site Permissions does produce a reduction in AD sync time, but at a cost segregating your project sites and thus the creation of new processes of maintaining them.
  I’ll remind others that these results are particular to our environments, there may still be exceptions yet to discover.  Others may see numbers contrary to ours.
  The biggest surprise to some members on our team (myself excluded) was that we did not see a reduced sync time after any of our initial syncs.  Some are under the impression that after your initial sync, you should see reduced sync times.  I haven’t
  found that to be the absolute case in all situations, just in some situations.  The reason for this still eludes me.  Any thoughts would be appreciated.
  I’ll let this sit a bit longer, but if no one disagrees with the results, I think we have our answer:
  The number of project sites directly affects your Active Directory Resource Pool Synchronizations if you are using the
  Project Site Permissions option.  If you plan on synchronizing over 1,000 users
  and you have a large number of project sites, proceed with the knowledge that you may have performance issues and long sync times.
  As always, I’d love to hear from you or others just in case I’m missing something.
  Chris Addis - MCTS

• How to create mailboxes under mac os x 10.6.4 either using ldapv3 or windows active directory?

  hi,
  i'm working on the mail server of our company. the plan is to implement the built in mail server feature of mac mini OS X 10.6.4 using either ldapv3 or preferably our existing window active directory users.
  i was able to set the open directory and can view the user accounts from AD. my problem is i do not have any clear documentation or manual on how to create mailboxes using either AD accounts or MAC LDAPv3. i already checked the manual of mac os x mail service administration and have found none pertaining to this case.
  i would really appreciate if someone can give me reference on how to do this. as of now im quite desperate because i have a deadline for this project.
  thank you in advance for your help.

  You said, "A 2014 iMac can't run either Snow Leopard or Lion." I know that. What I want to know is how I can install Lion or Snow Leopard on a peripheral hard drive, NOT on my iMac.
  – Larry

• How to set permissions on a file for a Mac without active Directory

  We don't have our Macs in the Active Directory, we are looking to share an external hard drive to only Macs and not the Windows PC's on the network with out using active directory. I have tested sharing the external hard drive from a PC to everyone and both the PC's and Macs can access this, but we only want the Macs to see this and access this and not everyone. There is no selection for sharing with the computer name in the Share permissions so the only way to do this is to share it to everyone. The Mac accounts are local to the Macs and the PC's are on Active Directory so what i need to do is have a way to share this folder with only Macs and not all the windows PC's. Any solutions, any ideas will help
  Thanks

  hi
  good
  go through these links
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b9/b4de3f68d48f15e10000000a155106/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/be/0de03f41b9eb06e10000000a1550b0/content.htm
  thanks
  mrutyun

• Window Active Directory users cannot see home drive when logon to Macs

  This problem just occurred, so that tells me either 10.4.9 has done it or a security update to Windows 2003 Server.
  Looking for any tech saavy network guru to help.
  Windows 2003 Server houses active directory. Users in the past were able to log on to a Macintosh computer and their home drive would appear on the desktop.
  Now 'all of a sudden' any user that logs onto a Macintosh computer with an AD account does not see their home drive on the desktop.
  Has anyone else had this problem? Any suggestions on how to resolve it? I haven't unbound the Mac from AD yet will try that tomorrow.
  JTS

  Fixed this...a corrupted keychain item that contained the users prior used network password was the culprit.
  Once I delted the corrupted keychain, active directory users can log on a Mac and see their home directory on the desktop.
  JTS

• How to change password in Active Directory from a Mac

  When loggin into Active Directory I can enter my password without a problem, but I am required to change it periodically and I can't see an option for changing the password. Does anyone have experience with this on their Mac when accessing Active Directory?
  Thanks

  In the accounts section of system preferences there should be a Change Password… button next to to your account picture. That's how we do it in Tiger, but it should work in Leopard too.

• Active directory issue regarding time (DST) - Cant bind any Macs to 2000 AD

  I am working with a new server at a small mostly Windows based school district. I am here to do a small AD/OD integration with nothing out of the normal. They are using Windows 2000 server and 10.4.11 with all the current software updates. I tested binding to their AD several months back and it ran without a hitch. Now, today when I attempted to bind their new Intel Xserve running 10.4.11 to their AD, it fails yielding the "Active directory only permits slight variations between the clocks..." error message.
  I have seen this before and the message has always been very descriptive in describing the problem (time is off on one end or the other). The issue here is that the machines are all running within a second or two of each other. I verified this my self several times on all the AD servers, each mac client and the mac server. I also checked other normal pitfalls and could not find anything. I can reproduce this error on 10.4.11 server, 10.4.11 client and 10.5.2 client (my laptop) so its not any specific install of OS X, its something in AD.
  Is there any chance that this has something to do with the recent changes to daylight savings time? The on-staff admin at the district manually moved the time ahead one hour on Monday morning to bring the windows system up to the current time. As I stated before, this district uses 2000 server. MS does not support 2000 any more and has not issued any updates regarding the recent daylight savings time changes. I have done a ton of searching and I have not been able to find any other mention of such an issue as I would assume that it would be rather wide spread.
  Any help would be appreciated. Thanks!

  Hi
  You can extend the time difference from the default 5 minutes to 10 minutes. This is done on the AD Server either using the GMM or the DMM. This might help with the issue you are seeing.
  Failing that you could point the AD to an internet based time server along with everything else on the network OR make everything on the network use the AD as the time server.
  Apologies if you have already tried this, Tony

• Add a mac to an active directory group using a script?

  I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
  Thanks in advance...

  I think I misunderstood your question.  If you are trying to add the computer record to a location other than the Computers container, then just change your binding script to target the folder you want.  Remember that the user account you are using to bind must have access rights to this folder.
  For example, the sample command from the man page shows you how.  Say you have a subfolder inside Computers called Macs.  You would do this in your binding script.  Note the notation of an organizational unit within the Computers container.
  dsconfigad -a ThisComputer -u "administrator"
  - ou "CN=Computers,OU=Macs,DC=ads,DC=demo,DC=com" -domain domain.ads.apple.com
  Is that what you are looking to do?

• Best way to integrating mac os x client with Active Directory

  Hi hello
  What is the best way to integrating mac os x client with Active Directory ? i have one Lion Server
  For the Mac client i want Mac use Active Directory for authentification and Lion Server for manage preference.
  Tell me in lion server the magic triangle is it good for what i want do ?? 

  If you have a need now and that need will remain serviceable long enough to justifying the investment, then go with Lion Server and do the Magic Triangle.  This is nothing more than Binding OS X Server to your AD domain and kerberizing services.  Then bind your workstations to AD first, then OD.  Make sure you download Server Admin Tools for Lion.  This gives access to Workgroup Manager.  That is were you will manage your OS X Settings.
  If you are managing more than 50 Macs that need a lot of continued management, then look at JAMF. 

• Mac OS X Server and Active Directory Replica

  Hello,
  Has anyone ever encountered any problems when making a Mac OS X Leopard server an Active Directory Replica? We're working on this project and we want to make sure that we don't mess up our primary AD server when we configure this.
  Thanks so much,
  Mac man of the Bay

  Hi
  Not sure what you mean by Active Directory Replica? If you mean you want your Mac Server to be the BDC to a Windows-based PDC then no it won't happen. OSX Server can only perform as a Domain Member when a Windows Server is the PDC. Neither can you have a Windows Server as the BDC when the PDC is an OD Master - as far as I know.
  Have you downloaded and read the manual?
  http://images.apple.com/server/macosx/docs/OpenDirectory_Admin_v10.5_2ndEd.pdf
  Briefly: OD Master/Replica relationship can also be PDC/BDC only if both boxes are OSX.
  Tony

• Macs Lose Active Directory Binding

  We run 10.5.8 and use Deploy Studio 1.0.rc12 for imaging. We run several Mac labs here all with basically the same image. Lately, they have been un-binding themselves from our Active Directory and we can't get them to stay reattached. We try manually and have flushed the DS Cache etc. Removed the Server Policy and so forth. Nothing has worked to date. I do see over the internet that there are many problems of this sort, but none of those fixes have worked for us. Any suggestions would be greatly appreciated.
  Thanks
  Chris

  Hi
  You don't have to do it if you don't want to but it would be helpful if you posted the solution. That way others looking to fix similar problems can find it more readily.
  Tony

• Binding Mac to a Windows 2000 server (Active Directory)

  I have been trying to connect various mac machines on my campus to the active directory on a windows 2000 server.and i've been getting various errors.in one lab i have some IMac10,1- mac osx ver 10.6.2 and in the other labs i have lower versions on the Mac pro.I have seen on other forums where others where able to bind the mac machine to windows 2003 server,but no one mentioned windows 2000 server. Please tell me if its possible to add these machines to a windows 2000 server platform.

  Hi,
  what is the matter? it is a difficult problem or it is impossible to do that?
  Please, if someone have any idea about this ,tell me?
  with advanced thanks.