Mavericks Server – Populate OD with AD Users & Groups?
Setting up 'Golden Triangle' (or trying to). Mac server and clients bound to both AD and the Mac server, and we've managed to set up some device profiles which have been successfully pushed to the clients. We can see the AD Users & Groups in the main Mavericks Server window, but have no real clue how to populate OD with them. At the moment Profile Manager by default can only see existing AD Policy groupings, rather than the actual AD Group structure. With well over a thousand AD users, do we have to add them all ONE AT A TIME to become bona fide OD users and groups?
After re-registring the device, deleting adding user againt from/to group com.apple.access_devicemanagement did the job. No error any more.
Similar Messages
-
Google drive does not work with specific group but works with all users group!!
Hi,
Why Google drive does not work with specific group but works with all users group?
My rule : Internal > external > all users = works fine
But
Internal > external > A group = not working !!Hi,
if you require user authentication in Firewall policy rules, the clients must bei Webproxy clients (for HTTP / HTTPS) or TMG clients (for TCP/UDP):
http://technet.microsoft.com/en-us/library/bb794762.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote -
Batch Risk Analysis in Full Sync mode with special user groups not working
Dear All,
we start Batch Risk Analyse Job in Full Sync with special User groups (use Range). In the Joblog I can see, that he selecet lesser users as in jobs before. But after all is finished (also managment job) when I go in Informer, he shows me also this user groups I have no analysed in Backgroudjob... Also he shows me in the detailed anlayse the date from a run before.. And we have deactivated some Risk - these are still in the analysis.
Have some one a information for me what here is wrong..
Best Regards
Gabriele Herrto old..
-
10.6.8 to Mavericks Server Upgrade loses Open Directory Users
Hi,
I have an OpenDirectory Master running OSX Server 10.6.8. An upgrade to Mavericks 10.9 has just failed.
The server has about 50 OD users and passwords need to be retained across the upgrade. Apart from OD, the only other active service is AFP file sharing.
DNS is good forward and back as per this article: OS X Server: Steps to take before upgrading or migrating the Open Directory database
I followed these Apple guidelines for server migration: OS X Server: Upgrade and migration from Lion Server or Snow Leopard Server.
I cloned the boot drive, booted from the clone, upgraded to Mavericks, then installed the Mavericks Server app.
On opening the Mavericks Server app "Configuring services' showed for 5 minutes, but then an error message appeared. I did not record it exactly, but it was something like, "There was an error configuring the server. Certificate not valid!".
I was able to continue through the error but on opening Server app there were no OD (local/network) users showing. Authentication was not happening.
I had underestimated the time to get the installation done and I had used up the window of downtime I had booked - I did not have much time to troubleshoot. So, I cut back to the original hard drive and the server is back to 10.6.8 again.
Can anyone point me in the right direction to find out what may have gone wrong? How can I get my users into 10.9 Server?
Many thanks,
b.Linc Davis advice is spot-on, as usual.
There seem to be dozens of sub-databases in the LDAP database. A problem in any of them seems to derail the entire conversion process. I tried a straight conversion and was also disappointed that there were unresolved issues, and it meant that the conversion failed.
So I did the export route using WorkGroup Manager, and exported four sets:
Users
Groups
Computers
Computer groups
go to the appropriate pane (e.g., Users) and Select All, then choose Export, and give it a name (probably with an embedded date in case you need to do it again later)
Then use 10.9 WorkGroup Manager (available as a separate download) to Import.
When re-imported, everything worked just fine (except the passwords, which cannot be carried forward using this method). I did have to manually enable at least one service, such as File Sharing service in Server [admin], or users showed up as "not allowed" [to log in].
This entire process of getting Server 3 to work is fraught with peril, and everything converges on ONE diagnostic, "Network users can't log in". Which means you blew it, but provides no additional information about WHERE you blew it.
There do not appear to be any magic bullets. It is just a tough slog. Users who reported success after failing the first time reported they returned to fundamental principles and did all the steps over, in order, to attain success. -
WGM creates new home folders with _unknown user/group, SA can't change it
A little background:
In our school we've got an xserve (about 1.5 yrs old), that was having issues last year. (the OD database pretty much ate itself). in august we did a clean install of 10.5, and updated to 10.5.3 (after suffering through the AFP/OD issues in 10.5.2). Because of the corrupt database from the last server, and the fact that a large number of our accounts have migrated through 4-5 iterations of servers from 9.2 on through 10.4.11, we created all new clean accounts by hand in WGM and moved the user files to the new home folders, changed user and permissions with SA to the new accounts and propogated that info to all the files for each home folder. everything has been going fine since then.
until this week.
the issue was discovered when we tried to create a new staff account (we created several accounts last week with no issue). in WGM everything looked fine. it created the account, assigned it to the proper group, and sucessfully created a home folder. the problem however was when we went into SA to change the permissions. we don't need everybody seeing everyone else's files, so we change the default group and everyone permissions to something more appropriate (don't even get me started on that gripe). When you navigate to the new home folder you just created in WGM, it shows the owner as _unknown (read/write) and group _unknown (read only... I think), Everyone (read only). Server Admin refuses to change the user or group. doesn't matter whether you use the 'show users/group' dialog and drag the account, or whether you edit it manually and insert the short name or UID. when you hit save, it stubbornly reverts back to unknown/unknown for user and group. we've tried creating accounts with different templates, no template, different account names and UID's, all with the same result.
The odd part is that nothing in the OS has changed since we first set it up and created all the users. nothing installed, nothing updated...
We've stayed at 10.5.3 due to the disaster in one of the updates (10.5.5 I think) that many of our other local districts had with network accounts not being able to see their own library folders due to permission issues, as well as the AFP causing 100% CPU use bug reported with 10.5.5
A second, probably related issue is that when browsing home folders in Server Admin filesharing, any files our network users create seem to end up assignedunknown/unknown for user and group (as far back as October it seems). After searching around the net most of the day I came across a lot of info about the _unknown user issues for folks upgrading from 10.4, but these are all newly created 10.5 network users (not local) logging in and working in home folders on the server. The original owners can read/write/delete these files as normal.
Any help would be most appreciated.ok... I find we were shot in the foot by one of our own.
The quick answer: DO A GET INFO ON THE VOLUME WITH THE SHAREPOINTS! if the 'ignore permissions on this volume' box is checked... UNCHECK IT!
Explaination: not sure how the ignore permissions box got checked, but I don't think it was done directly by human hands. we use Carbon Copy Cloner Ver. 3.something (not sure which at this point) to back up both our data (daily) and server (weekly) drives to remote storage. by striking coincidence, things started saving with _unknown user and group about the same time as crash reporter shows that CCC hosed itself. My guess is that CCC temporarily ignores permissions (as shown in the status when you do a clone) and then resets them to their original state. when it crashed, it looks like they were still set to ignore, so it happily set it back to that state every time it ran after that. not sure why the account creation issue suddenly turned up after so long... In any event, it turns out that if you have sharepoints on a server volume, AND you set the OS to ignore permissions on that volume, BAD things happen (I'm not sure it should even be an option on a shared volume, but that's for the engineering folks to figure out.) .... specifically, the symptoms above. if you login as root (yeah, I know that's something you should never do) and uncheck the ignore permissions box on the volume, then log into WGM, as root (yeah, yeah, I know... even worse) and set ALL of the Directory Administrator accounts to 'do not administer this server', and no change rights for the directory, save those settings, and then set them back to 'administer this server', and FULL rights to change the open directory, save again. and then WAIT until the drives stop going nuts... after that everything works fine. -
Sharing a folder with specific users/group
I am trying to make 3 different shared folders for 3 different groups on Windows server 2008 R2. I have tried creating 3 folders in C:\, and then share it with the specific groups. The problem I have is that even though I have only given read and write permissions
to the specific group members, the other group members(from the 2 other groups) can still read and write in that folder. Which is not supposed to happen. What am I doing wrong and how can I fix this?
PS: I am quite new to this...Hi,
As all accessing occurs locally, actually Share permission is not involved.
I assume the purpose is to create a folder which can only be accessed by several members in all 7 users.
Please noticed that, if all users are local admin (in local Administrators group), this will not work as local admin can always take ownership of a folder for gain accessing rights.
If you (and other members in that group) are the only local admins on this computer, set NTFS permission will work.
Again if one of the excluded members has local admin permission, he/she can take ownership to gain accessing rights. 2 workarounds are "set password with a third party application" and "create a new volumn for saving those files, and enable
BitLocker encryption on that volume with a password".
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
I can not update a Windows Server 2008 R2 with Software Update Group in SCCM2012
Hi all,
I got some problems with update deployments these days.
I try to configure SCCM2012 to update 1 Windows Server 2008 R2 (with Hyper-V / This server is in a cluster)
Actually i've 4 other Hyper-V servers and i would like to add one more in the cluster called Hyper-V5. To do that i need that all Hyper-V servers use the same Windows Updates.
I created a collection for my Hyper-V servers and then a Software Update Group with all needed updates (checked the list of another HV-Server).
I did a deployment on this collection using this new Software Update Group.
I checked the Sofwtare Center's logs on the Hyper-V5 server and i saw that synchronization has a successfull state.
But there is no updates installed or displayed in Sofwtare Center.
Here is some screenshots : Oh no i can't post image because ... "Body text cannot contain images or links until we are able to verify your account." waiting to be verified since months.
Thanks for your help.Hi,
Have you try to run Software Updates Scan Cycle and Software Updates Deployment Evaluation Cycle Actions on the client? Please check ScanAgent.log and PolicyAgent.log to see whether the client received the updates deployment policy.
Best Regards,
Joyce Li
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Will Mavericks server ever work with windows 7?
I want to buy a new content server for our small business. Today we use snow leopard server on a Macmini and it is running stable, but we are growing and need to have a faster system and faster diskaccess and I have been looking at a solution with Macmini with thunderbolt pegasus raid. On the paper it looks really interesting, fast and it would be great for our small business! ....BUT.. I have read tons of forums with people having problems with windows compatibility.
We use both Mac and PC in a small environment and the most IMPORTANT thing we need is a shared disk that work flawlessly with both windows and Mac. I do not need lots of other osx server features as mail, ftp, etc etc...
So, Will Maverick server ever work as a content server with windows 7 professional client computers? Or should I go for a windows server (I rather not since I do not like windows)? Or maybe a NAS-server is a better sollution for content sharing/shared workdisk?Hi jcar, thanks for writing in! While the Canon BJC-80 printer will not work with the Windows 7 operating system, we have plenty of printers that are fully compatible! Please feel free to click on the link below to explore some Canon alternatives; we hope this helps!
http://usa.canon.com/cusa/consumer/products/printers_multifunction/photo_all_in_one_inkjet_printers -
How to find the database details from server audit specification with successfull login group?
Hi,
We have created a server audit for successfull logins.When we read the audit file using
sys.fn_get_audit_file we find that all the fields related to the databases
ie database_principal_id,database_principal_name,database_name are either 0 or null.
Is there a method to find out to which database the login is accessing from the server
audit specification of successfull login group.Although the logins are reading and writing
data to the databases why there are no details of the databases?
Thanking you in advance,
Binny MathewHello Binny,
The logins are used to connect to the instance and the access to the databases is performed via database users. So, once you connect to the instance via your login, the server level audit takes this action, records it, but without caring to which databases
you want to connect after that.
Unfortunately there is no similar action group on the database audit specifications, that can track which user connected to the DB, except if you are using contained databases in SQL 2012.
Probably you can share why you need such information and if there is something else specific that you wish to achieve, so we can propose a different solution/audit configuration.
Regards,
Ivan
Ivan Donev MCT and MCSE Data Platform -
Lync edge server for site with 2500 users
Dear All,
I have a question with regards to the implementation of lync edge server deployment.
One of our client having lync deployment with 4000 users in a central site with 3 FE EE and edge pool with 2 Edge servers, there are planning for a new site with 2500 users.
what will be the best method for the site implementation , shall we deploy a SE Fe server and all the external communication through the Central site Edge server?
or is it required to have a separate pool for site?
please help meAgree with the others. So, there's two questions, "what will be the best method for the site implementation?" and "is it required to have a separate pool for site?".
The best method I'd suggest is use Enterprise Edition Lync so you can perform pool pairing for resiliency, and have a local edge pool as the others suggested. You have enough users to support this, and with growth you might want to be able to scale
up anyway.
Is it required? Not at all. You can send them all through the central site edge server, it's possible and fully supported. It's up to you, but I'd suggest the separate pool.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications -
Terminal Server Licensing Problems with GPO Security Group License Server
Hello,
I have two fresh installs of W2K12R2.
One is RD Session Host and the other one is the License Server. Everything is fine until I active the GPO Security Group License Server. After that the License Server gives no licenses
to die clients (we have User und Device CALs). TS Licensing Diagnostic’s shows no errors, the number of available licenses is displayed correctly, even the state of GPO Security Group License Server is correctly shown as "active" and die
Membership in the Group "RDS-Endpointserver" is "Yes". Eventlog shows no Errors. Log in on the session host is even possible, maybe because the RDS-Service is in evaluation time.
If the GPO Security Group License Server is disabled again, the server starts to serve licenses as expected.
I don’t know what I can do anymore, never had problems with exact the same setup under W2K8, but with W2K12 is the second time I notice this issue.
Thanks for your ideas,
AndreasHi Andreas,
Thank you for posting in Windows Server Forum.
Sorry to inform but there is no official document for server 2012 related to this event, you can go through below article for reference.
You cannot use a security group to add computer accounts to the Terminal Server Computers group. You must add each computer account explicitly. To verify whether an RD Session Host server is allowed to request RDS CALs from the Remote Desktop license server,
you can use the IsSecureAccessAllowed method of Win32_TSLicenseServer class. For more details about this method, click here.
1. License Diagnosis tool returns error "License server <computer name> cannot issue RDS CALs to the Remote Desktop Session Host Server because the 'License server security group' Group
Policy setting is enabled."
2.Control the Issuance of RDS CALs
Note: You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain.
Hope it helps!
Thanks,
Dharmesh -
Work flow issue with correct user group
previously, user A can receive workflow email in his SAP maibox, user B didn't receive workflow mail.
the workflow is triggered in the receiving client from IDOC transmission
Now we assign user B to the same profile as user A, but user B still can't receive workflow email,
how to change workflow so user B can receive workflow email, any t-code used in configuration and testing? thankssolved
-
What happened to user/group preferences in lion server?
I am installing Lion server and using am using the new server admin tools. The user/groups function is very different than Leopard/Snow Leopard. Many of the parameters are missing. We use the group preferences to restrict access to printers. That function seems to be missing.
jimshaughn
The print service has been eliminated from Lion so the old familiar way is gone.
However if you set up the Profile Manager service and then go to the management website of your server linked in the Server application, I believe you will be able to limit printers to specific users and groups. I have not implemented it yet, but I do remember seeing those options in there when I began looking at it. The difficulty with the Profile Manager is that it appears to require that the clients be 10.7. The new abilities in Profile Manager are actually pretty nice and seem easier to configure than WGM / Server Admin in my cursory review of the settings and options.
I am moving servers first so for me this is a bit of a challenge for me too since our clients are still 10.6. I had to bring computers and groups into the OD via WGM which will still cover the old machines. Control is split until all clients are up to date which is a little frustrating.
Have you set up the printers on the server itself and then edited the users/groups from WGM on the server itself which may allow you to still add the printers attached directly? It appears that you can still do that.
Hope this helps.
-Erich -
BPC 7.5 - Domain User Group Not Work - Configuration Server Manager
Hi Guys,
I install BPC 7.5 from NW. From the PC client only work ok with the same user OWNER the BPC .NET. In Server Manger -> Option
-> Define Systems User Group, add the follow data:
- System user group name= Domain Users
- Domain Type=Active Directory
- Domain Name = BAIRES
Is correct the Syntax? or need use the form OU=xxxx?
Thanks.Ok, thanks, and So I have other problem. I need Add User from different Domains, How configure this?
Tks -
How do I add augmented records in Mavericks Server 3?
This article: Mavericks Server Admin: Integrate with existing directory domains clearly indicates that you can "Integrate with augmented records." I have found instructions on how to import augmented users from Active Directory into 10.6 Server, but I'm using a 10.9 Server and can't figure out how this is done. Advice please?
You can do that easily from workgroup manager by going to server > new augmented user records,
if you want to add all users choose the group option and search for "domain users" this way you can add all users from specific AD group.
here is a screen shot
Maybe you are looking for
-
Help!!urgent!!can not insert/update clob:the row containing the lob is not locked
Hi, could you do me help? i can not insert a string into a oracle clob field, it echo as: ORA22920 row containing the lob value is not locked. ORA 06512 at "SYS.DBMS_LOB" line 708 ORA 06512 at line 1; what its means? please. my table defined as : cre
-
Error message when trying to access the free Sudoku game I downloaded from Blackberry Owners' Forum
I downloaded the free Sudoku game from the Blackberry Owners' Lounge (at http://na.blackberry.com/eng/ownerslounge/downloads/games.jsp) to my PC and then used the Blackberry Desktop Manager to transfer it to my Blackberry Curve 8300. But, when I try
-
I keep getting a not enough space message.
I just downloaded creative cloud to my laptop. I keep getting a not enough space message. Want to purchase a desktop in order to have more space. Can I use cc on two separate computers? AT first I could not download lightroom or photoshop. I deleted
-
My HP Envy Touchsmart 15 jo52nr mousepad does not work or disabled
My HP Envy Touchsmart 15 jo52nr Notebook PC mouse is disabled I have to use my touchscreen im actually typing from my Envy Touchsmart Plz Help
-
Trying to save key strokes with a for loop
I have been trying to action script for years with no success. I to some time off and learned javascript and some oop (ruby) so I thought I would take another stab at it. I am still having problems. Here goes... I have several movieclips on the stage