Jamf Nation Community

Jason · ‎02-11-2015

Has anyone implemented the Apple Schema extensions for Active Directory?

The reason I'm looking into this is that we login to our Mac's with our AD accounts. If for some reason we need to unjoin and rejoin the domain our UID changes and any files owned on the Mac previously by that Account now see a new UID and we need to re-take ownership. I've been told extending the schema and mapping the UID, user GID, and group GID would resolve that so they are consistent across any system that AD user logs in on and regardless of any domain rejoins. Is that true?

Apple used to have a white paper called "Integrating Active Directory" but i don't see it any longer.

mm2270 · ‎02-11-2015

I think Apple no longer recommends schema extensions for Active Directory. This was promoted back when Apple's AD plug-in was less functional and there weren't many good options for managing Macs with MCX controls, and before there were such things as Configuration Profiles. I don't know that I would go that route nowadays. Anyway, that's likely the reason the white paper doesn't exist anymore.
A community member here (Tim Perfitt @tperfitt) used to work for Apple and once had a video on extending schema extensions. He may have some better advice around this and whether its actually even possible to do now.

NightFlight · ‎02-11-2015

Its entirely possible, as we use an extended schema. I wasn't the one who went through the setup process so I can't help that way - but I did just want to chime in that its possible with Active Directory 2008. I don't think a few extra attributes will really do the directory any harm, but that's just me. :)

anwarmahmood · ‎04-27-2017

Hi NightFlight,

What schema extension do you have? Does it include home directory?

Anwar