Posted on 12-05-2015 05:51 AM
Hi folks,
I'm wondering if there's a way to prevent an AD-bound computer from picking up Managed Preferences that seem to be defaults when we create a new user in AD.
For example, I have to keep a computer around with Mac OS X Lion that can run Workgroup Manager just so I can switch off "Dock" and "Login Items" from the user's account in AD after we create a new user.
I'd like to find a way of not having to do this anymore.
Posted on 12-05-2015 07:20 AM
I remember seeing something like this a few years ago.
We turned off the server, and there were some settings that we had to remove on ADSI.
Posted on 12-05-2015 08:39 AM
In the OS X Leopard to Mt. Lion days, we used AD more for Managed Preferences, but Apple has been removing that functionality since Mavericks.
We've removed all the Managed Preferences from AD, but three always get created automatically when we create a new user:
- Mobility
- Login
- Dock
I then have to click the "Never" radio button on the last two because I won't want them interfering with Config Profiles or plists that we're setting up as defaults at the computer. The most annoying one is the "Login" because it automounts the network home share (but not the user's actual network home folder).
I'm not sure if I should also just hit the "Never" button in the mobility since those same settings get created when we bind the computer to AD anyway. I can't remember if there were any adverse effects from doing that.
I just don't want them to get switched on in the first place, so I'm trying to find a way to do that but not affect other AD services at the client computer in the process.
Posted on 12-05-2015 08:45 AM
It's been a while, but I believe user level managed preferences you set in Workgroup Manager will override all other managed preferences, which is why disabling the preferences per person is working. Have you verified you don't have a group in Workgroup Manager with this setting enabled?
Similarly, if you open System Information on your Mac workstation and choose Managed Client, do you see the preference there? If so, you've got a locally cached preference setting you'll need to clear out.
Posted on 12-05-2015 09:15 AM
@talkingmoose The only group that every new user we create belongs to at first is "Domain Users." I just checked WM on the Lion computer I'm running it on, and that group has no managed preferences set.
After we create the users, we attach them to security groups for server access, and mail distribution groups. I just went through all of our active security and distribution groups on WM, and none of them have any managed preferences set.
I just checked System Info > Managed Client on three bound computers as you suggested, and it says "No information found."
So, I don't know why these three get switched on by default for any new user we create. It may be an AD thing as @jonnydford suggested.
Posted on 12-06-2015 06:58 PM
The settings you are talking about are on the computer, not on AD.
Thats just normal. They should not interfere with config profiles or anything else
The Mobile and Login are because you set those preferences in the AD plugin.
Not sure about the dock, i think you are getting false information from WGM
Use dscl
to view the users record to see all the attributes. Or I also like to use apache directory studioldapsearch
also works if you want to view the attributes for ad object from a machine that isn't bound to AD
Posted on 12-06-2015 07:00 PM
Just to add, these machines are only bound to AD right? No open directory server?
You are not running the golden triangle right?
Active directory schema has not been extended for MCX settings?
Posted on 12-09-2015 11:15 AM
@calumhunter We have the third option. I thought about that over the weekend that this may be the cause.
We did this about 4 yrs ago so we wouldn't have to set up a "golden triangle." I don't know if there's a way to undo those extensions from AD on Windows Server 2008.
However, we'll be moving our AD to Windows Server 2012, and we may be able to exclude those extensions when we migrate.
Posted on 12-09-2015 05:04 PM
You could probably have your AD admin do up a powershell script to clear out those attributes in AD, i think that would be easier than trying to migrate an AD and exclude certain attributes, but i'm no AD admin.
The Managed Client section in system profiler under software can also tell you where some MCX settings are coming from ... i don't have anything i can put MCX on to show you but heres where it is in sys profiler