Jamf Nation Community

Report Inappropriate Content · ‎05-03-2011

Happy Tuesday Everyone,

Well the summer is almost here in Wisconsin and the projects are already beginning to stack up.

I am researching the best method to integrating our Macs into our AD directory. I have done some leg work and see tools by Centrify and Thursby. I also know Apple has their own solution, but that is more work it appears.

What I am asking the list is who is already doing AD integration with their Macs and how are you doing it? For instance are, have you extended the schema for AD? How about workgroup manager, are you doing anything with it or are you simply using the GPO's in AD? Any gottchas would be nice to know as well.

Your thought can be sent to me directly if you wish. Since I am researching this for a few weeks, any and all comments are welcome.

Thank you in advance for your thoughts and words.

Regards,

Mick

--
Michael D. Conners, APP
Apple Project Leader
3550 Anderson Street
Madison, WI 53704
Phone: 608-246-6360
Fax: 608-246-6329
Work E-Mail: mconners at matcmadison.edu
www.realworldsmart.com

ernstcs · ‎05-03-2011

We've been purely AD bound for 4 years or so using what comes right in the OS, Leopard or higher recommended. The only thing that is used for AD are the UNIX Attributes. Not sure that GPO can be used at all for Macs. You'll need to deal with everything through OD or MCX settings from the JSS. Users network home drives mount automatically at login reading information from their AD account.

Craig Ernst
Systems Management and Configuration
+--------------------------+
University of Wisconsin-Eau Claire
Learning and Technology Services
Old Library 2109
105 Garfield Ave
Eau Claire, WI 54701
Phone: (715) 836-3639
Fax: (715) 836-6001
+--------------------------+
ernstcs at uwec.edu

Matt · ‎05-03-2011

Just bind using the AD Bind and create your own "GPO's" MCX and policies/scripts via Casper. Its the best in my opinion. I would stay away from anything Thursby like the plague. We have Centrify here but our group does not utilize it.

http://www.casperadmins.com
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

Report Inappropriate Content · ‎05-03-2011

We use ADmitMac here, and we've had some issues with it (as of version 5.1). The 5.2 beta we got seems to be better so far; currently waiting for the download link for our volume licensed 5.2 to percolate through the ranks.

We do have one computer that is bound to AD via the native plugin: mine. It works just fine, aside from needing more RAM. One thing I find VERY nice about ADmitMac is AD Commander, which comes with the package. Not that its UI is fantastic, but that it allows me to manipulate AD from a Mac at all. This comes in very handy. Do any of the others provide a tool for this?

Oh, and we use MCX in Casper. It doesn't always work, though...

jonscott · ‎05-03-2011

We're 100% AD-bound here, with about half binding through ADmitMac, half through Centrify, and half through Apple's plug-in. ;) Seriously, a fair portion of each, with ADmitMac v4 and v5 in place - those getting MCX from Open Directory, so the AD-OD triangle. Centrify Macs are picking up AD GPOs. We're in the process of moving off Centrify, so doing my best to replicate group policy stuff via Casper now.

I don't have a lot of experience with Centrify, so can't speak to it too much. ADmitMac is both a pain a blessing. Thursby moves at their own speed, so bug fixes take awhile. I'm still waiting for a reliable fix for credentials caching so laptop users can take their machines home and work from a single account. In v4 there were problems with automating the binding process much too, and odd application conflicts - though I think v5 resolved much of that.

Moving between ADmitMac/Centrify and Apple AD can be a headache as well, as UIDs are treated differently. I'm moving Macs off Centrify now, so had to script something to disjoin, uninstall Centrify, re-bind through Apple's plug-in, and fix home folder permissions afterwards. ADmitMac provides their Home Mover tool that helps a lot in moving accounts if you're going that route.

Overall, I'd have preferred to stick with Apple's solution + xtremeZIP + AD-OD over installing a third-party product. We needed (or thought we needed) ADmitMac's cifs stack when moving our fileshares off Apple RAIDs to SAN. Before that need, Apple AD + workgroup manager worked well for us.

Jon

sean · ‎05-04-2011

Mick,

Prior to Snow Leopard we used Quest Authentication Services (Vintela as it used to be called) and this always worked well. Snow Leopard, however, we use Apple's built-in AD plug-in, since for our set up we have seen no reason to still require a third party option Quest, Centrify or otherwise.

Our home accounts live on a linux server, automounted via nfs, but AD supplies the unix path to the home account.

All of this works absolutely fine.

As for extended schema, we too use Casper to push out any Managed Preferences. I admit we don't use many, but those we do use work as expected.

Sean

Report Inappropriate Content · ‎05-04-2011

Using built-in AD component and have casper join machines to domain... This could be specific to our environment but one thing we noticed is that macs are not able to read some user properties (like password age loginShell) unless they are added to "Pre-Windows 2000" group. Has anyone seen this?

The other thing we noticed was if people reset their Kerberos password from Windows, although they were able to login to macs using the updated password, they were prompted with keychain password and they had to provide their old password to update it. Is there a way to downstream/sync Kerberos pwd change with keychain pwd?

Thanks
Adil

Jamf Nation Community

Mac and AD integration