Skip to main content

Hello all!

We're running an MS AD system for user authentication on our Mac clients, and we were having a bit of trouble with group lookups. We finally tracked it down to the fact that the '/all domains' authentication search path wasn't actually picking up all the groups for some reason, and some of our groups were under '/[DOMAIN NAME]' instead. If we set the search path to ONLY /[DOMAIN NAME] other groups were lost (authentication breaks as well), and adjusting our "allow authentication from all domains in the forest" option hasn't helped.

Anyway, besides the point. Once both /all domains and /[DOMAIN NAME] are setup in the search policy and contacts search paths, all the group information is pulled in and authentication works. Now we're looking for a a way to add /[DOMAIN NAME] to the search policy on all our Macs either via a script, or, preferably, a managed preference. I've searched around a bit, but so far haven't been able to find where this would be set.

Any tips?

Extra information:

OS X Lion clients
NOT a .local domain (anymore. This has fixed so many problems.)
Server 2003 with native schema
Casper 8.51 (will be updating to .52 soon)

dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/YOURDOMAIN"

Excellent. Worked perfectly. Many thanks.

at least i can solve somebodies problems.

When I try this command in Mountain Lion, nothing is added to the Search Policy when I go look and verify in the Directory Utility.. Any thoughts?

Terms & ConditionsCookie settingsAccessibility statement