Posted on 11-21-2014 11:49 AM
We're a bit puzzled here, I see that our Active Directory user accounts have managed preferences applied to them via Active Directory (Workgroup Manager shows them and our Macs are parsing them), and we can't quite figure out how this is happening. We did extend our AD schema many years ago to test MCX, but it was abandoned pretty quickly. Something must have hung around, though.
Can anyone familiar with AD and MCX help me figure out exactly how and where to find these managed preference settings in AD so we can nuke them? Workgroup Manager can see these preferences but I am having a hard time tracking down what is essentially legacy information at this point. I see LDAP queries running for "apple-mcxsettings2" attribute when I am using Workgroup Manager but that attribute is blank when I look it up in ADSI Edit. None of our Apple attributes are populated.
Posted on 11-21-2014 12:59 PM
Technically there is no way to un-extend or "nuke" the schema modifications that you made without performing a complete Active Directory Forest Recovery. Active Directory schema extensions should be done very cautiously. That being said, you can deactivate schema objects that were created during the MCX modification. Here is a starting point: I suspect all of the custom attributes are prefaced with an "apple".
Posted on 11-21-2014 01:03 PM
Can you confirm the MCX settings are being installed on the machine by using mcxquery (user, group, and computer)? I think it will display the source of the management settings.
- Justin
Posted on 11-22-2014 01:11 AM
@alexjdale can you see MCX settings being deployed, or just that mobile accounts are being shown as "managed"?