Managing Leopard clients with Tiger Workgroup Manager

Similar Messages

• Leopard Client to Tiger Server

  I currently have roughly 80 eMacs that all connect to a 10.4.10 server. I have upgraded one of the computers to leopard and now the workgroup management piece seems to not be working properly.
  I can login into the computer since it talks to AD for authentication but it doesn't not read the preferences from workgroup manager. (Blocked applications are able to be opened and shares do not mount)
  This all works on 10.4.11 with no issues.
  Please help.

  I finally got around to upgrading the Tiger server to 10.4.11. I have the same issue on the Leopard client of shares not mounting and applications (ie iTunes) being able to be opened. The other computers in the school all run 10.4.11 and the workgroup manager preferences work fine on those machines.
  This laptop was upgraded to 10.5 so I'm not sure if that's where the problem lies. Perhaps I should try a clean install?

• Manage clients with multiple workgroups

  In our business, everyone belongs to a departamental group, e.g. "Staff Accounts", "Staff Drafting", etc. Each of these groups belongs to a workgroup called "Access Company" that is a managed group that creates non-syncing mobile accounts and manages some other preferences upon login.
  There are some additional preferences we'd like to manage for select groups, but not the whole company.
  E.g. we wish to have some users use network accounts if they move from desk to desk, but not all users. We've set up a "NetworkUsers" workgroup for this, problem is, for correct access to file server volumes, etc. they also need to belong to "Access Company" group. When they log in, they are prompted which one of the two workgroups they would like to join. We don't exactly want to educate these users to select "NetworkUsers" each time. Is there a way instead to have a certain workgroup take priority over another? Or better, is it possible for different workgroups managed preferences to be combined, which would be even better, that way we don't have to copy all the managed preferences from "Access Company" group over to "NetworkUsers" each time we wish to make change to the managed preferences.
  Also, in combination with the "Access Company" workgroup, we wish to manage printers, however, we don't want to add all the same printers to the "Access Company" group because some of our users are at remote sites so don't want irrelevant printers showing up in their list. When we add somebody to a "Print something" workgroup, they will also be part of "Access Company" workgroup. Once again, ideally, we'd like to have the managed preferences combined, if not possible, we can add all the managed preferences from "Access Company" group to "Print something" group and have that single workgroup managing their preferences, but this takes time and when we wish to make a change to managed preference for the whole company, we'll have to update that change in each one of the workgroups in use, so combining managed preferences is definitely desired, otherwise, if really not possible, we could manage with only one workgroup per user, but once again, we're at the problem of them having to belong to the "Access Company" workgroup for file server permission, etc. and we don't want the box to pop up asking them which workgroup they want to join.
  Any ideas to get around this problem?
  If it's just a limitation of Mac OS X server 10.5, it's a pretty **** big basic lacking feature, and if so, is it better in 10.6 in which case it'll be worth upgrading.

  Solved my problem the proper way!!
  I read again that combining managed preferences from multiple workgroups is possible on page 6 of this document:
  http://images.apple.com/server/macosx/docs/L355774BWkgrpMgrTB.pdf
  My tests showed differently, but I eventually figured out why:
  Managed preferences will combine only between groups where one is a parent of the other. The child group's managed preferences overrides the parent group's managed preferences, but ONLY IF the parent group is an inherited group from the child group ONLY! (i.e. must be strictly hierarchical)
  i.e.
  If ChildGroup is a child of ParentGroup and the user is added to ChildGroup only, it will get the combined managed preferences of ChildGroup and ParentGroup.
  If the user is explicitly added to both ChildGroup and ParentGroup (instead of ParentGroup being inherited only), the preferences will NOT combine.
  If ThirdGroup is also a child of ParentGroup and the user is added to ThirdGroup and ChildGroup, then the preferences also will NOT combine - i.e. the parent group it wants to be combined with must be inherited through one group only. If ParentGroup is inherited from ThirdGroup, but also inherited from ChildGroup, no combining of managed preferences will take place.
  My solution was to keep my "Access Company" group only as a non-workgroup for file access and create a new workgroup with company-wide managed preferences to which each departmental group belongs to.
  Hope this helps someone who experiences the same problem!

• Managing Internet clients with non unique names

  I've got a wee complication which revolves around the fact the majority clients I am looking to deploy to are workgroup clients which have non-unique netbios/short names. 
  So when trying to manage said clients when looking at the Assets / Devices tab they for all intensive purposes appear identical - until I look at the properties of each item and look at the Resource Name - which will show the FQDN fo said machine.
  If I was able to select Resource name as a viewable field in the view this would fix my problem. Unfortunately all machines currently have the same Workgroup set so just displaying the "Domain" field will not suffice.
  Has anyone run into this issue and what can be done to work around it short of renaming all my intended clients? I've seen mention of creating your own Console custom nodes however this looks rather hairy.
  Any thoughts are greatly appreciated. Cheers.

  Also, I don't think that it will really help you, because the Devices
  node is build on the SMS_CombinedDeviceResources class and that WMI class simply doesn't contain the
  Resource Name property.
  In this case it would mean creating a whole new node in the console. Probably using a Query, or Report is the most simple and best workaround.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• How to enable Remote Management on multiple Macs using Workgroup Manager?

  Hi
  I want to use workgroup manager to enable remote management on multiple macs I manage.
  How can I do that?
  Regards,
  Omer Barel

  The only way I know to enable remote managment remotely is by running kickstart.
  http://support.apple.com/kb/HT2370
  If you are already using a login script you could run kickstart from there.
  We clone our Macs with remote management turned on.
  Otherwise, lace up your sneakers.   

• Leopard client on Tiger Server

  Hello All,
  I'm the sysadmin hat wearer at work. We're running PHD and OD for a collection of iMacs in the office here with Tiger Server and Tiger Clients, (runs well).
  However, we just hired a new guy and have a new iMac coming in with Leopard on it. I've seen posts out there saying there are a lot of problems getting a Leopard Client to work with a Tiger Server. Unfortunately our Tiger server config has been customized so much over the last couple of years that I'm just not ready undertake the upgrade on the server OS yet and will likely just buy a new server down the road anyway.
  My question is, should I downgrade the new machine coming in to Tiger or cross my fingers and try to make the Leopard client work with the Tiger Server, what kind of issues should I be expecting/watching for?
  Any insight would be much appreciated!

  Hi
  You may want to consult this post:
  http://discussions.apple.com/message.jspa?messageID=7295681#7295681
  Not entirely relevant but it does contain something that might be useful? You are only talking about one Leopard client so it should not be that much of a problem? Although how far you have customized your environment from the 'norm' - whatever that is - may affect how successful you are?
  If its a new model iMac I doubt very much if you can 'downgrade' anyway. Have a look at the mac specific system disks that come with it as that will be the lowest version OS that can be installed. You may be able to downgrade it with some effort if you really try - I doubt it - but what would be the point of that? 'Breaking' something to 'fix' an unknown is never really successful is it?
  As for posts mentioning problems? That is what the forum is for. It does not necessarily follow that you will see those problems. There are just as many - if not more - with little or no problems who - of course - don't post.
  Tony

• Internet managed preference no longer in Workgroup Manager?

  I've recently upgraded my elementary school xserve to 10.5 and thus the Server Admin tools, including Workgroup Manager. I'm noticing that the managed pref for Internet is no longer an option. In 10.4, I would set a default homepage with this function as well. Has it been moved or incorporated into something else?
  Also, how can I distribute a list of bookmarks and customized bookmark bar to 500 users? I use ARD but it seems to only send to machine, not user home folders. Perhaps I'm missing something? Thanks.

  Hi Mjmatul and forum folks.
  I did have the same problem too when I wanted to setup up an internet preference file for another group of users... There was a "+" button, which allowed me to add another preference file. (You will get a Open-file type dialogue when you click the + button).
  You need a "sample" file to which it bases the preferences on.
  So, I searched my own workstation (and other workstations, and our home directory server) for a "com.apple.internet" file.
  Once I located one, I used the "+" button to add it into Workgroup manager. I then removed all the other keys from within the Details area, other than the ones I wanted (e.g. default home page).
  I changed the value for the default home page key, and applied the changes, and that was it.
  Certainly a little messy (having to "find" your own preference file sample), but it did the trick for us.
  Hope that helps .
  Cheers,
  D.

• Can A Boot Camp Partition Made With Leopard Live With Tiger?

  If I downgrade from Leopard back to Tiger, will my Boot Camp XP partition still be bootable and recognizable?

  The short answer is YES. I say that because now all driver updates are offered by apple on the WINDOWS SIDE via Apple Software Update so you shouldn't need Leopard for that. This means that downgrading to Tiger should not affect the Windows partition and its contents.
  Be sure to back up everything before downgrading.
  Axel F.

• Leopard MDC with Tiger Clients?

  I'm well aware of the rule which states MDCs should be the same as, or no more than one version ahead of, the cleints.
  So far so good.
  Does this mean I can update the MDCs to 10.5.1 server whilst leaving clients on 10.4.11 for the time being?
  Trying to update the entire system in one go will spoil my Christmas!

  It is possible, if you're using the latest version (1.4.2). Won't work with an earlier version.
  Read the release notes for 1.4.2 -- it has specific instructions on exactly what configs are supported and how to upgrade to it.

• How to hide/disable Spotlight on a client by using Workgroup Manager

  Dear Apple Pro's
  I'm looking for a script or Policy whatever to hide/disable spotlight on a client. Iam using WGM for policy's to disable some applications, but I can not find an option disable spotlight on a client. I hide a lot directory's systemfiles but if I type in the spotlight "terminal" on the client and click on it the terminal will start.
  I've 400 iMacs on a school it makes me desperate.
  Hope to hear from you pro's!

  One possible solution might be to change the permissions on the Spotlight app on all client machines. The command would be:
  sudo chmod 600 /System/Library/CoreServices/Search.bundle/Contents/MacOS/Search
  That way only root can run Spotlight. One may be able to roll that out via a startup script, too.

• Permissions are not shown correctly in Get Info on Snow Leopard client, using Tiger server w/ ACL's

  Invoking "Get Info" on a file or folder which is on a shared volume hosted by a G5 running Server 10.4 fails to show meaningful permissions when done from a 10.6 iMac.  It says only that the user has "custom permissions", which is true since there are ACL's in operation.  However, the Owner and Group POSIX settings are not shown, only the Everyone setting shows, making it impossible to determine which user created the file (in order to resolve issues when permissions prevent intended action).  The same file or folder will show Owner and Group on 10.5 systems, as well as at the 10.4 Server itself, so we do have a workaround.  I have noticed, though, that I have run into permissions restrictions where I should not, such as creating a folder on a shared volume using a 10.6 system, and then not being able to save into that folder from the same system/user.
  Is there something about the implementation of ACL's in Tiger that confounds Snow Leopard's Finder?

  Hi,
  I did two things to get it working, and haven't taken the time to sort out which did it.  But it is working so it's good enough for me.
  First I followed TeenTitan's suggestion, and also checked "Allow printing from the internet".  I'm behind a firewall so not too concerned I'll get someone's odd photo on the printer.
  Second I went back to server admin, selected the queue under queues in the Print service, then selected IPP and deselected LPR.  Bonjour went grey but stayed checked.
  After this I see the printer with "@ server name" appended, and it added the printer drivers like it should.
  So all working well.

• Cant bind leopard clients to Tiger server

  Hi can one of you help me
  Im trying to implement an OD server into a small network, ive set up a small test network to try things out on which is a G4 Powermac with OSX server 10.4 a new imac running 10.5.5 and an old powerbook running 10.5.5
  i set up DNS and then setup open directory when i go to Directory utility on the clients and try to bind to the OD they seem to bind ok but then in the list it says server is not responding with a red circle
  if i go to search policy and remove the /LDAPv3/servername the light turns green but says server is responding normally. this server is not in you authentication search policy. Putting back in the line and the server is not responding
  Is this a problem with LDAP i dont know where to start, both clients say this

  I had the same thing... except mine was working last night and not this morning... that'll teach me for working too late!
  Anyhoo - I fixed it by disabling "Enable SSL" on the LDAP tab of the OD Master's Open Directory Setting pane, then rebinding the client (having ripped down and reset it's local Kerberos config - see http://support.apple.com/kb/TS1245) then re-enabling SSL on the Master. No idea why it worked (trying to figure it out now), but it did... give it a try.
  Note, this is not to enable SSL connections from the client to the Directory - that's a whole 'nother can of worms I'm opening as we speak, following http://www.afp548.com/article.php?story=20071203011158936.
  Good luck...

• Leopard Clients Take 10 Minutes to Connect to Tiger 10.4.11 Server

  I have a single Tiger server OS X 10.4.11, on a LAN with 5 Tiger Clients and 2 Leopard clients, all with up-to-date patches.
  My problem is, that ALL of the Tiger clients can access any of the server shares almost instantaneously, but when I try to connect a Leopard client the the server, it initially takes a minimum of 10 minutes! If I just click on the server <as displayed on the Finder SHARED tab>, the connection eventually fails. However, if I click on the "Connect as" button, after about 10 minutes, I get the user/password login, and the Leopard client connects immediately, and all the data on all the share points are accessible.
  But, if I don't actually mount a share point (i.e. see a the Network drive icon on the desktop), and use finder column mode to navigate through the shares, if I click on a local drive in the same finder window, I have to go through the whole 10 minute wait again before I see the user/password login.
  So my question:
  Why is it taking a minimum of 10 minutes for the Leopard clients to connect, where as the Tiger clients connect immediately?
  So, if anyone can help me trouble shoot or resolve the server settings so that the Leo clients can connect as quickly as the Tiger clients, I would be extremely grateful.
  BTW - I followed the setup instructions precisely as per the Linda.com *+Mac OS X Server v10.4 Tiger Essential Training+* CD.
  TIA
  Gary
  All the shares are setup as:
  General:
  Share this item and its contents.
  Access:
  Owner=Root (Read & Write);
  Group=Staff (Read & Write);
  Everyone (Read Only);
  No ACL
  Protocols:
  Apple File Settings:
  Share this item using AFP;
  Allow AFP guest access;
  Custom Name=<unique name>;
  Default permissions for new files and folders=Use standard POSIX behavior
  Windows File Settings:
  Share this item using SMB
  Allow SMB guest access
  Enable strict locking
  Default permissions for new files and folders:
  Assign as follows: Owner=Read & Write; Group=Read & Write; Everyone=Read Only
  FTP Settings
  Share this item using FTP
  Allow FTP guest access
  Common FTP name: <same unique name>
  Network Mount
  Where: LDAPv3.127.0.0.1 (locked)
  AFP is setup as follows:
  General:
  Enable Bonjour registration
  Access:
  Authentication=Standard
  Enable Secure connections
  Client & Guest connections=Unlimited
  Logging:
  (Everything); Archive every 7 days
  Idle Users: (nothing checked
  All staff members are defined as part of the "staff" group.

  Windows File Settings:
  Share this item using SMB
  Allow SMB guest access
  Enable strict locking
  Default permissions for new files and folders:
  Do you have any Windows clients on your network? If not turn OFF the SMB server and change the settings here so there is no SMB sharing.
  FTP Settings
  Share this item using FTP
  Allow FTP guest access
  Common FTP name: <same unique name>
  Do your users access this sharepoint with FTP from inside your network? If not, stop the FTP server and change the settings to not share this via FTP.
  General:
  Enable Bonjour registration
  Turn this off for all sharepoints. If you have no Bonjour-only printers -like some of those POS HP color Laserjet 26xx or 36xx series- enter this in Terminal.app or through the 'Send UNIX command...' in ARD to all of your Leopard clients:
  launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
  user should be root if sent from ARD, prepend 'sudo' (without quotes) if in Terminal.app or if you're using an admin username from ARD. This turns off Bonjour.
  Also, in WGM, look at each individual user account and see if the 'Primary Group ID' is listed in the 'Other Groups' list. If it's not, click the '+' sign and drag the user's primary group into the 'Other Groups' list and then save. You can 'shift-click' and select groups of users and add the group to them all at once if they are all in the same groups.
  Access:
  Authentication=Standard
  Change the access to 'Any Method'. If your clients are all bound to the OD master and the sharepoints are listed in the directory (meaning Kerberos SSO works for all clients and users), the clients will try Kerberos first and anything else -like DHX authentication- if that fails. Also, if you are managing your clients with MCX you should have those shares mounting before log-in -meaning at startup- using guest access or at login with the username/pass.

• Using fullstop (period) in shortname in Workgroup Manager

  Apparently in Mac OS X 10.3 Panther Server, using a fullstop in a users shortname was a 'bad thing', see http://support.apple.com/kb/TA20836?viewlocale=en_US
  Obviously Panther is out of date, and I am not using it, but I would like to know if this is still an issue for Snow Leopard Server. Interestingly, Workgroup Manager for both Tiger 10.4.11 and Leopard 10.5.8 Servers deliberately tries to stop you creating a shortname with a fullstop in it, although I have found a workaround for that, but Workgroup Manager for Snow Leopard Server does allow you to use a fullstop.
  Why do I want to use a fullstop in a shortname?
  Well, Mac OS X Server uses the shortname in conjunction with the mail server to authenticate email users. It is however also used to generate the primary email address of the user. Therefore if you want an email address to look like [email protected] you would need a shortname of john.smith hence the need for using a fullstop.

  Antonio Rocco wrote:
  Hello John
  I'm not sure if this is a problem as such? You could have short names with full points separating the first and last names. It's only the first short name where that was not possible. You can add as many short names as you like thereafter with full points wherever you like them. Any of them can be used to generate the email address. As I recall this was the case with 10.3, 10.4 and 10.5. I've not had chance to use 10.6 yet but I would imagine it would be the same?
  Having multiple shortnames is what I am trying to avoid. Doing so is an administrative overhead, increases the possibilities of duplicates/conflicts, and worst of all increases the amount of spam users would receive since they would get emails (spam) via each shortname they have defined.
  As per the KB article I linked to, it was clearly a 'bad thing' in Panther Server to use a fullstop in the (only) shortname, but it is not clear if this is still an issue for Tiger, Leopard, and especially Snow Leopard. As I also indicated Tiger and Leopard try and prevent you doing this, but the article does not say if it is still a problem for them. However Snow Leopard Server does let you use a fullstop in the first (only) shortname.
  I am trying to establish if this change in behaviour of Snow Leopard Server indicates Apple now feel it is no longer a problem, or is merely a mistake.
  Ah! Page 67 of the (now available) Snow Leopard Server User Management manual, says shortnames can contain A-Z, a-z, 0-9, _, -, and . (fullstop/period). As this is consistent with the new changed behaviour of Snow Leopard's Workgroup Manager it looks like it should be safe to use fullstops in shortnames on a Snow Leopard Server.

• Can't add Computer or New Computer list on 10.3.9 Server Workgroup manager

  I have a 10.3.9 server with Open Directory running. I can manage user and group preferences (Workgroup manager v2.0.1) but can't add a computer or new computer list because the option is disabled. If I connect to it's open directory from another server running 10.3.9 and same version of Workgroup Mgr, the new computer list and adding computers is enabled. This other server is in another subnet and not typically available for use by the network admin of the problem server. Any ideas to get the computer management enabled?

  Hi,
  an additional discovery I made:
  Take the account "A", which is functioning on these two "problem-clients". I change the password from "123456" to "abcdef".
  I try to log in this account with one of these two Macs... -> does NOT work
  I try to log in this account with another Client (w/o problems) -> does work
  I change the password back to "123456"
  I try to log in this account with one of these two Macs -> does work
  I deleted the accounts and created new ones. The accounts work fine on every Mac despite these two machines.
  It looks like these two clients are not updating the directoryservice information.
  So I tried to get a look, which information is readable at the client machines (which are making the trouble):
  lookupd version 369.5 (root 2006.12.02 12:00:25 UTC)
  Enter command name, "help", or "quit" to exit
  userWithName: test
  Dictionary: "DS: user test"
  lookupagent: DSAgent
  lookupvalidation: 1195423412
  gid: 1025
  home: /Network/Servers/xserve/Volumes/DATA/HomeDir/test
  name: test testuser Test User
  passwd: ****** ******
  realname: Test User
  shell: /bin/bash
  uid: 1026
  + Category: user
  + Time to live: 43200
  + Age: 0 (expires in 43200 seconds)
  + Negative: No
  + Cache hits: 0
  + Retain count: 7
  I gathered this information on the client, which can NOT log into this account. I can try all new or changed accounts, all are visible to the client....
  Does anybody here unterstand this?
  • the used accounts are all ok
  • other accounts work fine on this two machines
  • the problem only occurs on changed or new accounts.
  • reverting the changed accounts to the old state: the accounts work again
  Regards
  svenc