Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Aug 4, 2012, 03:36 PM   #1
techman0819
macrumors newbie
 
Join Date: Aug 2012
Location: Northeast, USA
Taking Better Control of Labs in AD Environment

Hi All,

I've been the Mac Manager here at the school I work at for a year now, a 95% PC building and school district. In my first year I've implemented AD authentication and it's worked pretty well, and in addition, we purchased a Mac OS X Server (Snow Leopard). I'd like to go a little further this year if I can.

I would like to try and use the server a little bit more this year if I can, in order to set up policies and security, as well as folder sharing. My challenges are I do not have administrative rights to the regular domain, I only have Account Operator rights, but I do have Admin to the Mac Server and to all the workstations, and I can't do anything that would drastically affect the network. For now, the server just sits as File Storage, and as a Deploy Studio host, but I know it's capable of doing more.

What I'm looking for answers to is:

1) Is there a way I can set up Open Directory to manage security and group policies without affecting Active Directory, or better yet causing an issue down the road?

2) Could I use Group Policies on Active Directory to control everything? I've read online that it's possible, but I don't want to go down that route unless I can do it WITHOUT adding a third-party product.

3) Any books or good reads that have info on how to integrate OD and AD without messing each other up?

I'm working with 10.6 server and clients running 10.5, 10.6, and 10.7.

Thanks for any tips.

Last edited by techman0819; Aug 4, 2012 at 03:41 PM. Reason: Added Deploy Studio Host to Server Purposes.
techman0819 is offline   0 Reply With Quote
Old Aug 5, 2012, 01:31 PM   #2
aquajet
macrumors 68020
 
Join Date: Feb 2005
Location: DFW
Quote:
Originally Posted by techman0819 View Post
1) Is there a way I can set up Open Directory to manage security and group policies without affecting Active Directory, or better yet causing an issue down the road?
Yes. It's called the Magic Triangle. Do a google search on it. Apple has some documentation on it, and I believe there are some third-party docs on it as well. In short, it's a dual-directory authentication scheme whereby your Macs are bound to both AD and OD, with AD providing user authentication and OD providing client settings. The OD server is also bound to AD, and you can import AD user accounts into OD to provide user-level policies. Or you can do simple machine-level policies as well. Very similar in concept to Windows Group Policies. Traditionally this has been referred to as Managed Client Preferences (MCX), but starting with Lion Server and expanded upon in Mountain Lion server, Apple is moving away from MCX to what they refer to as "Profile Manager", which supports both Macs and iOS devices. The big thing with Profile Manager is that it is designed to easily support both devices that are under your direct control and so-called "BYODs". Since Apple is pushing Profile Manager quite a bit with Mountain Lion, my suspicion is that traditional MCX will be deprecated.

Quote:
2) Could I use Group Policies on Active Directory to control everything? I've read online that it's possible, but I don't want to go down that route unless I can do it WITHOUT adding a third-party product.
It is possible to use Active Directory to provide MCX, but that requires modifying your AD's schema (and AD admin rights). Since Apple is pushing their new mobile-device focused "Profile Manager", you probably shouldn't be looking at this.

Quote:
I'm working with 10.6 server and clients running 10.5, 10.6, and 10.7.
My recommendation is to start looking at migrating to a newer version ASAP. Historically Apple doesn't provide security and bug fixes more than one major point release back. And 10.6 doesn't support Profile Manager either.

Mountain Lion should do both MCX and profile manager, which would be necessary if you've got machines older than 10.7. But this brings up my previous point, which is to get these machines upgraded or out of production soon if that's possible in your organization.
aquajet is offline   0 Reply With Quote
Old Aug 8, 2012, 02:42 PM   #3
techman0819
Thread Starter
macrumors newbie
 
Join Date: Aug 2012
Location: Northeast, USA
Alright, I'll take a look into that. Thanks.
techman0819 is offline   0 Reply With Quote
Old Aug 8, 2012, 04:58 PM   #4
freejazz-man
macrumors regular
 
Join Date: May 2010
Hey aquajet - thanks for the great advice
freejazz-man is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
NIK plugins vs Topaz Labs maflynn Digital Photography 26 Nov 1, 2013 12:46 PM
5s flash taking forever when taking pictures cchunk iPhone 9 Oct 19, 2013 05:03 AM
Who are the WWDC labs meant for? jackhdev Community Discussion 0 Jun 9, 2013 03:19 PM
Lucky Labs delivery time to UK? Adam2k90 iPhone Accessories 0 Sep 24, 2012 10:02 AM

Forum Jump

All times are GMT -5. The time now is 03:37 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC