Advantages To Binding Macs to AD

JimAllsop
New Contributor

What are the real advantages to binding all our laptops to the domain? The only thing I see right now are problems with our laptop macs. The file shares I can still access even though my machine is not bound to domain. Am I missing something here? Having the mac computers bound to domain also causes all our printers to show up as Open Director printers, and it makes people not want to install their printers via self service when they can just add them via the system pref pane. Plus when they add the printers via the system pref they are not defaulted to black and white like when they use Self Service. We have a large amount of windows machines as well so not sharing the printers in the print server is not an option.

I just really wonder what advantages do we gain by binding machines to AD? We also notice that the trust relationship is broken quite easily with Macs and our AD and that makes changing the passwords very difficult for the users. We quite often have to force unbind before we can change the users password.

Thoughts?

10 REPLIES 10

spotter
New Contributor III

The main purpose we bind our Macs to the AD so they can receive the same password policy as Window devices.

imperatives
New Contributor III

The "Open Directory" printer listing is the result of them being published to AD DS from a print server, which I provided some more info /recommendations for you for on the following thread: https://jamfnation.jamfsoftware.com/discussion.html?id=11600

As Potter wrote, binding to AD provides compliance your organization's password policy. You might also want to auto mount a CIFS share that is specified for each user in their AD user account, or something of that sort. AD will also store some basic computer information such as OS version and last login. These might be useful for auditing purposes. Additionally, most enterprise client management (Altiris/SCCM), A/V (Sophos/McAfee), and encryption products offer some sort of AD Sync for computer objects. If your macs are bound to AD you could target them based on OU location. There are a number of other reasons as well. Again, this is all dependent on a properly configured and administered AD and MAC environment. I would try to locate the origin of the trust relationship issue...it shouldn't be a common occurrence on MAC or PC. There is most likely a very specific reason why it is happening in your environment that ought to be resolved.

Not applicable

I'd like to know more about other uses and those who don't...a company I manage currently does not bind Mac's to the domain yet, the main reason they want them on there is to be able to push certain AD policies (there is restrict network access, unless a user is authenticated in to the domain on log-in) so those users not bound to the domain have to always enter credentials when accessing the network.

and of course the password policy is another thing to take advantage of.

JimAllsop
New Contributor

@imperatives yes I remember your post in that thread, to which we have done that. Although the systems team did not like the idea of using OU's for PC printer management seeing how users are constantly going from one location to another. We got around that by simply having our PC users go ADM-PRINT and then selecting what printer they want to use.

The purpose of this thread is as @randy.andersen mentions more of a fact finding thread. What are the advantages and disadvantages.

We are testing the trust relationship setting from the default mac setting of 14 days to 45. (PC is default to 30 days for bound AD machines.) we are hoping that the 45 day change will help not break the trust relationship with all our mac computers.

JPDyson
Valued Contributor

Apart from password policy, SSO to applications that support Kerberos, login scripts, granting admin rights to AD groups, just to name a few. I'm sure I'm forgetting others - it's always been a requirement any place I've worked, FWIW. I haven't had to seriously evaluate whether I'd do it if I didn't have to (leaning toward no; total Self-Service approach).

Cons: Keychains. If your Mac users don't change their AD password from their Mac, the Login keychain doesn't get its password updated. On next login, they'll either have to enter their old password once (if they remember - I'm surprised how often that's not the case), or delete the keychain and create a new one (ranges from minor inconvenience of losing saved logins, to serious problem when the keychain contains certificates used for authentication).

JimAllsop
New Contributor

@JPDyson do you all leave your Macs defaulted to the 14 day thing or have you changed it to another amount?

mm2270
Legendary Contributor III

A topic no-one really likes to talk about in relation to AD is termination. As ugly as it is, the reality of today's world is that people get let go or fired. If your HR department requires users to be disabled from any systems/resources, using central authentication like AD can help. If the user account is disabled in AD, they can no longer log in. If they have local accounts, you need to use some manual methods, like remotely changing their account password or disabling it via some script or ARD, etc. In other words, its on you to make sure they can't log into their Mac or get at sensitive resources. With AD binding/accounts, unless you are also the AD administrator, its someone else's problem.
Sorry to have to bring up that topic, but that is another reason its used. Probably better to focus on the good stuff though, like SSO and so on.

FWIW, many years ago I managed a small Mac environment where no-one had AD accounts. Its kind of a nightmare, at least from the security and ease of use standpoints. Users use the same password for months or even years on end (because its not enforced and how many users actively want to change their password? Answer: 0); no password complexity to speak of, so you get passwords like "password"; no ability for anyone to sit down at another Mac and just "log in" and at least work in a pinch, just to name a few issues.

I'm not saying using AD binding and logins doesn't present its own set of issues, but it seems to me worth the trouble to get the added benefits.

Just my $0.02

JimAllsop
New Contributor

@mm2270 you have got that right. I found today a user that has not been with the company for over a year and they still had a fully functioning AD account. User management is something we are trying to get straight as well.

JPDyson
Valued Contributor

@JimAllsop Do you mean the 14 day notice? That's all managed by our AD team; we don't really have any say in that regard.

alexjdale
Valued Contributor III

Password policy enforcement, password sync to AD, audit trails, 802.1x (wired/wireless), DDNS, ability to disable users/computers to restrict access, SSO for websites/applications... the list goes on. It's half usability, half security. You aren't serious about security if there is no strong trust relationship between your computers and your network, which AD provides.

It really comes down to the size and needs of your company. We're ~9k Macs and we have strict security requirements since we have access to customer PII and financial info. We didn't really have a choice.