Taking Better Control of Labs in AD Environment

Discussion in 'Mac OS X Server, Xserve, and Networking' started by techman0819, Aug 4, 2012.

  1. techman0819, Aug 4, 2012
    Last edited: Aug 4, 2012

    techman0819 macrumors newbie

    Aug 4, 2012
    Northeast, USA
    Hi All,

    I've been the Mac Manager here at the school I work at for a year now, a 95% PC building and school district. In my first year I've implemented AD authentication and it's worked pretty well, and in addition, we purchased a Mac OS X Server (Snow Leopard). I'd like to go a little further this year if I can.

    I would like to try and use the server a little bit more this year if I can, in order to set up policies and security, as well as folder sharing. My challenges are I do not have administrative rights to the regular domain, I only have Account Operator rights, but I do have Admin to the Mac Server and to all the workstations, and I can't do anything that would drastically affect the network. For now, the server just sits as File Storage, and as a Deploy Studio host, but I know it's capable of doing more.

    What I'm looking for answers to is:

    1) Is there a way I can set up Open Directory to manage security and group policies without affecting Active Directory, or better yet causing an issue down the road?

    2) Could I use Group Policies on Active Directory to control everything? I've read online that it's possible, but I don't want to go down that route unless I can do it WITHOUT adding a third-party product.

    3) Any books or good reads that have info on how to integrate OD and AD without messing each other up?

    I'm working with 10.6 server and clients running 10.5, 10.6, and 10.7.

    Thanks for any tips.
  2. aquajet macrumors 68020

    Feb 12, 2005
    Yes. It's called the Magic Triangle. Do a google search on it. Apple has some documentation on it, and I believe there are some third-party docs on it as well. In short, it's a dual-directory authentication scheme whereby your Macs are bound to both AD and OD, with AD providing user authentication and OD providing client settings. The OD server is also bound to AD, and you can import AD user accounts into OD to provide user-level policies. Or you can do simple machine-level policies as well. Very similar in concept to Windows Group Policies. Traditionally this has been referred to as Managed Client Preferences (MCX), but starting with Lion Server and expanded upon in Mountain Lion server, Apple is moving away from MCX to what they refer to as "Profile Manager", which supports both Macs and iOS devices. The big thing with Profile Manager is that it is designed to easily support both devices that are under your direct control and so-called "BYODs". Since Apple is pushing Profile Manager quite a bit with Mountain Lion, my suspicion is that traditional MCX will be deprecated.

    It is possible to use Active Directory to provide MCX, but that requires modifying your AD's schema (and AD admin rights). Since Apple is pushing their new mobile-device focused "Profile Manager", you probably shouldn't be looking at this.

    My recommendation is to start looking at migrating to a newer version ASAP. Historically Apple doesn't provide security and bug fixes more than one major point release back. And 10.6 doesn't support Profile Manager either.

    Mountain Lion should do both MCX and profile manager, which would be necessary if you've got machines older than 10.7. But this brings up my previous point, which is to get these machines upgraded or out of production soon if that's possible in your organization.
  3. techman0819 thread starter macrumors newbie

    Aug 4, 2012
    Northeast, USA
  4. freejazz-man macrumors regular

    May 12, 2010

Share This Page