10.9 - Native AD Plugin Discussion

Contributor III

I am looking for everyone's thoughts, opinions, gotchas or other notable experience with the native AD directory service plugin on 10.9.

We currently use a third party plugin which we have some fairly extensive MCX policies scoped as GPO's in our AD environment. Migrating these to Casper would be a task, but not unbearable.

I am looking at the feasibility of slowly migrating over to native tools and would like your input on how that experience has been and what you have learned.

Main thoughts/concerns

  • Access Control - Deny login for students on Staff Machines
  • Administrative Access - Several Large Groups of Admin Users (Techs, building level support, etc) as well as one-off users who "need" admin rights.
  • User Caching - Our Domain is not externally routable. Would need user credentials cached during summer break (roughly 180 days)
  • Large Environment - Close to 70k users. We have some large groups with several thousand users. Any issues handling this?
  • Login Troubleshooting - What do you use to track down "I can't login" type issues

We're testing a few machines here and there with our environment but I thought I would get the collective knowledge of the nation to see what areas we should focus our testing.

Edit: Also any issues with RODC's in the environment.