New and Used Car Talk Reviews Hot Cars Comparison Automotive Community

The Largest Car Forum in the Philippines

Results 1 to 2 of 2
  1. Join Date
    Oct 2002
    IT gurus, sys admin, help naman..

    we have active directory service, and we need to implement group policies. pero karamihan ng computers namin eh iMac. meron ba group policies na mag work for Mac OS X? how to do it?


  2. Join Date
    Mar 2005
    eto binasa ko pero hindi kasi group since naka-network na 2 imacs + 1 windows laptop lang kami sa bahay. pero kahit papano na-aayos ko yun restricted access

    How to support Macs in an Active Directory environment
    Ryan Faas

    March 13, 2007 (Computerworld) Editor's note: When originally published this article said that by using dynamic user identification (UID) generation, users might be assigned a different UID number each time they logged onto a different Mac. We have confirmed with Apple that this is no longer the case; the story is corrected below.

    Supporting Mac users can be a challenge to systems administrators in a Windows Active Directory environment. Although Apple has used Samba to make it easy for Macs to browse and access shares and printers hosted by Windows servers using Microsoft’s server message block (SMB) protocol, true Active Directory integration requires more than just access to resources.

    For one thing, it requires support for an environment where users can rely on their Active Directory accounts for log-in to both Mac and Windows computers. Depending on your environment, you may also want to be able to implement security measures to limit what users may do while logged into a Mac or to manage the user experience as you would do with group policies for Windows machines.

    There are a number of solutions and approaches that you can take for integrating Macs into your Active Directory infrastructure, and I'll be talking about some of them here.

    Apple’s Active Directory plug-in

    The lowest-cost solution is to use Apple’s built-in Active Directory support. Beginning in Mac OS X Panther (10.3), Apple introduced a plug-in to its Directory Access utility that allows you to configure authentication against Active Directory. Apple’s Active Directory plug-in uses LDAP to query Active Directory.

    The Active Directory plug-in works fairly well. It supports forests with multiple domains, domain controller fail-over and can automount a user’s home directory. It can also grant users administrator access to a Mac workstation based on their Active Directory group membership. You can also enable mobile accounts for portable computers and designate a preferred domain controller if needed.

    The process of using the plug-in to join a Mac to an Active Directory domain is straightforward, and is similar to joining a Windows computer to a domain. You’ll need an Active Directory account with permission to join the computer to the domain; if the account was not created in advance, you’ll need authority to create it. You will also need to configure the search path of available directories to include Active Directory using the Authentication tab in the Directory Access tool. Mac OS X can search multiple directory configurations in a specified path when a user attempts to log in.

    Dynamic UID vs. static UID mapping

    One of the hurdles to integrating Mac OS X with Active Directory is that their directory services schemas are significantly different. One of the key attributes in the Open Directory schema used by Mac OS X is the User ID number (UID). As in other Unix systems, the UID is used by the Mac OS X file system to designate file ownership and permissions both for local and remote files.

    Each local or network user account used to log into Mac OS X requires a UID. But there is no directly correlating attribute in Active Directory.

    Apple provides a choice of two methods to providing Active Directory users a UID attribute. The first and default option is to dynamically generate a UID for each user when they log in. When this option is used, Mac OS X generates a UID at login based on the GUID (Globally Unique Identifier) attribute from the user’s Active Directory account. The second option is to choose an attribute that is included in Active Directory as the user’s UID. You can map any attribute, be it one that is part of the default Active Directory schema or one that is part of a custom schema extension.

    Using a static UID by mapping it to an attribute in Active Directory may prevent potential issues and it may be a solution that you have already implemented for other Unix systems in your network. However, it requires more effort. If you choose to map to an existing attribute, you will need to manually populate this number in each user account that will be used for Mac login. This can be a tedious process. If you choose to use an existing attribute rather than extend Active Directory’s schema, you’ll lose the ability to use that attribute for another purpose.

    Thursby’s ADmitMac

    ADmitMac by Thursby Software Systems offers several features that Apple’s Active Directory plug-in and Samba configuration do not. Like Apple’s solution, ADmitMac is based around a Directory Access plug-in.

    Most notably, ADmitMac fully supports Kerberos under Active Directory as well as signed LDAP and SMB communication and NT LAN Manager, enabling much tighter security with Windows 2003 Server. As such, it doesn’t require you to lower the default security settings of Windows 2003 Server. Apple’s solutions require unsigned LDAP and SMB communication.

    Also, ADmitMac supports an Apple-managed client environment. Like group policies in Active Directory, Mac OS X’s managed client environment -- sometimes referred to as MCX -- allows administrators to restrict access to Mac OS X system components and to create a highly customized user experience. ADmit enables several of Apple's client management features and does so using Mac OS X Server’s Workgroup Manager.

    To do so, ADmit Mac creates a file stored on a Windows share within the domain to hold all the MCX user information that would normally be stored in an Open Directory domain hosted by Mac OS X Server. However, Thursby’s own documentation admits that its client management approach isn’t perfect and that some actions may result in unexplained error messages or simply may not function without any indication of an error.

    Centrify’s Direct Control for Mac

    Centrify’s Direct Control is a series of solutions for integrating diverse platforms with Active Directory, including Mac OS X.

    Direct Control installs as a Directory Access plug-in under Mac OS X. When the server-side solution is installed on Windows domain controllers, it adds a series of group policy objects (GPOs) that can be used to manage the Mac environment. Direct Control offers a range of GPOs for security and user experience settings -- many of which mirror the options available using Mac OS X Server’s Workgroup Manager tool. It does this by integrating a local registry file copied to the Mac with Apple's MCX architecture. Direct Control also offers the ability to use smart cards for authentication.

    Direct Control offers the simplest and most full-featured Active Directory integration solution for Mac OS X. Because it relies on Active Directory’s group policy architecture, it functions more seamlessly for managing access than does Thursby’s ADmitMac, particularly for systems administrators who are unfamiliar with Mac OS X.

    Also impressive: It succeeds without modifying the Active Directory schema. It does not, however, offer the security of signed SMB connections, although it does support encrypted LDAP queries. It also works well with products such as Thursby’s DAVE to enable signed SMB communication as well as with third-party server-side solutions that support Mac OS X’s Apple Filing Protocol, which offers greater security than unsigned SMB.

    Using Mac OS X Server for additional client management

    If you want to take full advantage of Apple’s client management architecture, the best solution is to implement Mac OS X Server in your Active Directory environment. This can be the most challenging method of adding support for Mac OS X because Active Directory and Open Directory, Mac OS X Server’s native directory service, have very distinct schemas. They also share three matching attributes: username, password and home directory. This can make creating a fully integrated infrastructure a very big challenge because it requires extending the schema of one or both platforms.

    There is a method of offering partial Mac client management and access to other Mac OS X Server services under Active Directory that doesn’t require schema modification. The approach is twofold. First, join Mac servers and clients to Active Directory using Apple’s Active Directory plug-in. Second, create a directory search path on Mac servers and clients that searches both the Active Directory domain and an Open Directory domain hosted by one or more Mac servers.

    This configuration allows you to create computer lists in the Open Directory domain that contain Mac computer accounts from Active Directory. Management settings can then be enforced on those computer lists using Mac OS X Server’s Workgroup Manager with no further configuration.

    The same approach can be extended to groups of users by creating group accounts in the Open Directory domain and populating them with user accounts from Active Directory. This method isn’t perfect, and some client management functions may not respond properly, but it requires significantly less effort than modifying the Open Directory and/or Active Directory schemas. It can function as a temporary solution if you are planning to extend the schema but require an immediate solution while you do so.

Group policies for MAC