Macs and AD Environment

mushypanda
New Contributor

Hi everyone I am new here and new to the Mac World in terms of scripting and Macs in the Active Directory (Windows Server 2012) environment.

I've been trying real hard or not hard enough to find a script/ write a script so I can capture login info/ logon history (Mac name, MAC Address, IP Address, Emp.ID, UserName, OU, Logindatetime) of the Mac on a Windows AD server. Soon I will be working with System Center 2012. I already did the basics to bind the Mac to the AD but (1) I can't capture the information, (2) have a script to map drives in the network, or (3) set a group policy for users on the domain to sign on without having to create individual profiles on the Mac.

And also is there a script possible to set on all Macs of a Policy banner, plus a curious question is can we have a cancel button if a user disagrees and logs them off the Mac?

If anyone has information on this or has dealt with it please share your experience and knowledge for this young padawan in the Mac World being in a Windows AD Server environment.

Thanks everyone for I am grateful to learn more!

7 REPLIES 7

mushypanda
New Contributor

I did some command line configuration for 'dsconfigad' using the Apple Doc "Best Practices for Integrating OS X Lion with Active Directory" and also configuring directory service information on the Mac.

Matt
Valued Contributor

I'm a bit confused but Ill give it a shot.

All the info you are requesting is gathered by the JSS. If you use the SCCM plugin (like we do) that information is then patched over and copied to SCCM which we then put in our CMDB.

dolivieri
New Contributor

We have also been having problems delivering mapped network drives from our Windows servers over SMB to internal Mac AD clients. On the PC side, users login and those drives come down but we haven't been able to replicate this amongst the Macs on AD successfully within our environment either.

Hobbs155
Contributor

We can montior this in two ways, we have a login script the creates symlinks to mounted network drives which logs username and date time to /var/logs, JSS also captures login information etc.

doliverieri - we are also having issues with smb home mounting after upgrading to 9.01, possibly have a look at https://jamfnation.jamfsoftware.com/discussion.html?id=8279

mushypanda
New Contributor

Maybe I'm coming from a different angle or maybe its not related to OSX servers, but with windows active directory/ system center. Some business analysts here have written scripts for the PCs so that every time they log in, log-in information of the computer and user are captured. Im an intern trying to learn more and more about how these work hand in hand with Macs if that helps with the question or enforces what I am saying. Being able to capture it with a script of the Mac and Mac users maybe cant be done with a windows server because of how Apple has different encryption of packet files over the internet, I could be wrong. I apologize if I can't be any clearer, thanks for all you input.

mm2270
Legendary Contributor III

I'm not sure if this would satisfy your requirements, but the JSS already has an option to capture startup and login/logout actions across your managed Macs. Go into Settings > Computer Management Framework Settings, and click on both the Startup Item and Login/Logout Hooks tabs. There are options there to capture Startup and Login/Logout actions. These capture timestamps and the user account at login as well as the Computer Name.
In Casper Suite versions prior to 9, this is available to view globally using the Logs tab. In version 9, its only available per computer in the computer records details.

As for a policy banner, there is a built in OS X option of setting up a policy banner, but it will appear at every login, not just once a day or one time only. You basically create an rtf or rtfd file in something like TextEdit, name it PolicyBanner.rtf (or rtfd if using images) and place it into /Library/Security/ That message will come up over the login screen, again, at every login. Only thing is, it only provides an "Accept" button. No cancel button is available for that. if that part is a requirement, you'd have to look at something else, but I'm not even sure what else would really work.

alexjdale
Valued Contributor III

I've never been able to get home drive mapping to work via AD attributes either. I have to disable that and sometimes modify user accounts, it's caused login failures in the past. Apple's SMB/CIFS stack does not have a high level of compatibility with network appliances.