Posted on 10-01-2008 12:45 AM
OK, so this time it's an AD binding issue:
Can I delete the /Active Directory/All Domains entry from my Authentication and Contacts search policies in Directory Utility with Casper? Every time I test my binding procedure, duplicate AD entries are displayed. I want to delete the existing one before creating a new one with a new bind.
Also, I can't seem to change the preferred order of the directories in the search policies. I want AD to appear before OD, but the dscl changei command to change the index doesn't like me. Can Casper handle this, too?
I have a feeling this should be easier than it's been and I'm doing something wrong...
Jeffrey A. Strauss
Department of Educational Technology
Systems Administrator
Loyola High School of Los Angeles
1901 Venice Blvd.
Los Angeles, Ca 90006
(213) 381-5121
Posted on 10-02-2008 08:21 AM
Let me see if I understand You get a duplicate machine acct in AD after you
have bound? If so it sounds like the acct used to bind does not have delete
permissions to the machine acct object OR ownership of the object is taken
by a privileged acct. Our AD guys have give us pretty much God like
privileges to the Computers container (with the exception of move). This
makes life a lot easier.
Posted on 10-02-2008 08:36 AM
Actually, I'm using the domain admin account to perform the binding.
Late last night I resolved this by appending a dscl command to remove
Authentication search policy entries to my unbind script. I don't know
why it wasn't working, but it is now. :)
Sent from my iPhone 3G