- Jamf Nation Community
- Products
- Jamf Pro
- ARD ad Groups
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ARD ad Groups
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-25-2009 01:41 PM
Howdy,
I've been working with the admin packs ard script. The problem I have is I don't want to add individual users I want to ad AD groups. Any help would be greatly appreciated.
Thanks
Theodore "Teddy" Herman
Systems Engineer
Spring Branch ISD
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-25-2009 03:38 PM
Not sure if anyone replied yet, but for some reason I dont feel I have a clear enough idea of what you're trying to accomplish. Can you try explain differently or with more details?
Craig Ernst
UW-Eau Claire
(715) 836-3639
Sent from my iPhone
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-25-2009 03:52 PM
You want to add computer groups into AD? User groups? You do that from the Windows side, unless you are trying to mimic them in OD?
Can you please give more details?
Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-25-2009 07:40 PM
try:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.a/Contents/ Resources/kickstart -activate -configure -users ADGroupName -access - on -privs -all -allowAccessFor -specifiedUsers -restart -agent -menu
Tony S. Wu
tonyswu at mac.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2009 06:50 AM
Does this actually work? We tried using ARD Admin groups in Open
Directory our first year of our 1:1 and it never quite worked right.
So, instead I created a special local admin account just for ARD admin
access.
I also thought the original poster was trying to import AD groups over
ARD admin, that is why I was asking those questions.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2009 10:31 AM
I am trying to use AD groups in ARD so when a user is trying to log into controling a computer they can use their own account. If this doesn’t really work then I will focus on doing one account. Thanks for the input .
Theodore "Teddy" Herman
Systems Engineer
Spring Branch ISD
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2009 11:22 AM
The problem stems from the client side, actually. If you look in System Preferences, under Sharing, look at Remote Management. You really don't want it set for All Users. So, if you pick Only These Users, you can pare it down, right? So, now add a user that can use Remote Management...
Here's the problem: You can only add local users to that list. If Apple had included even local groups, you could do it. How? In your directory binding settings, you'd set a particular OU in your Active Directory to have administrative rights when they log in. So, you could set Remote Management to allow the Administrators group and since your AD OU is in the Administrators group, they'd be able to use those credentials.
But, there's no groups there. So, that's why it doesn't work. It would be nice if Apple could add groups to that, but even better, network users and groups so you wouldn't have to automatically have to be in the Administrators group for access.
j
---
Jared F. Nichols
Desktop Engineer, Infrastructure & Operations
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2009 11:46 AM
Page 63 of the ARD Admin guide speaks about using directory services
for creating administrator access groups for ARD access.
One method is creating specific groups in your master directory.
ard_admin
ard_reports
ard_manage
ard_interact
Within any of these groups you specify those users that should have
that level of access.
In addition, you need to set the clients to use directory
authorization. You can use the Change Client Settings option under the
Manage menu item. Probably the easiest method.
Commandline option is available as well.
Of course those clients need to be bound to a directory service.
For those wanting to use local groups for defining access, then take a look at the XML modification under method 1 of the ARD admin guide.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2009 11:56 AM
We did this on our first year of our 1:1 and it didn't quite work right
and the performance was horrible. Which is why I created special
specific local admins for ARD usage on the machines.
Has anyone successfully used the OD method of adding in OD users/groups
to ARD admin, and what was your experience with it? We tried this in
10.4 and it left such a bad taste in my mouth when we migrated to 10.5 I
didn't care to try it.
Thanks
Tom
Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-28-2009 02:59 PM
We just use a specific standard user account for ARD access.
Tony S. Wu
tonyswu at mac.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-09-2019 01:47 PM
Looks like Apple decided to hard code the permissions for which the groups ard_* have.
I managed to make it work to use AD groups to access ARD, but the problem I face is that I can't make it to work to give just the Observe permission.
So far only a local account on the machine is the only option I have to give Observe permission only (this is what we have) but AD groups just does not seem to work.
