what are the benefits of binding a mac to your AD Forest?

Discussion in 'Mac OS X Server, Xserve, and Networking' started by austinsevo, Dec 23, 2008.

  1. austinsevo macrumors regular

    Joined:
    Jun 9, 2008
    Location:
    Sherman Oaks: California
    #1
    What are the benefits of binding a mac to your Active Directory Forest?

    can you enforce policies? set scripts? better authentication? Im talking about binding to a Windows DC.
     
  2. steviem macrumors 68020

    steviem

    Joined:
    May 26, 2006
    Location:
    New York, Baby!
    #2
    For me,

    Better integration to the network. Easier to login as a domain admin and have full admin rights.

    Better access to shares on file servers.

    I didnt see this topic until just now. But if you want your mac to be better integrated in your company's network, Bind it.
     
  3. austinsevo thread starter macrumors regular

    Joined:
    Jun 9, 2008
    Location:
    Sherman Oaks: California
    #3
    okay thank you.
     
  4. mrmarsguy macrumors newbie

    Joined:
    Jan 2, 2009
    #4
    Hey maybe you can answer a related question for me. I just received a Macbook running 10.5.5 for my work computer; it was bound (binded?) to our network domain -- on a Windows based server, don't know what version. I know that my Macbook only has two user accounts: the one that is joined to the active directory domain, and another one that is not. These are both admin accounts, they are both mine and I have passwords to each. The root user account is still disabled on it, according to what I see in DIrectory Utility. (Also, I was there when the IT tech girl set it up -- brand new mac! -- and this was never changed.)

    This is my question: when I am connected to our domain at work, does our system admin for our AD domain workgroup (sorry for any wrong terminology) have read access to my document etc. folders in either/both accounts? I am not planning any nefarious activity or worried about any super-confidential personal info or anything -- I just have never been comfortable storing personal documents on my work PC, however benign they are. I just don't like the idea of whoever is up in IT having super easy access to pics of my kids, softball practice times, etc.

    With my previous XP notebook at work, the system admin had full access to my documents folder when I was plugged into our network. Would this still be the case with the OSX account that is joined to the domain? What about the other (non-joined) account? It would be convenient to use my second, local account for a personal calendar, etc. if I knew it would take more than just a quick peek by the system admin to view my info remotely.

    (I do know that of course they have physical access to my macbook when I am not there, and nothing is truly confidential. Just trying to figure out the simple access issues with a domain admin who -- as far as I can tell -- does not have root user privileges. I didn't think such a thing was possible BUT I am not a network guy and out of my realm, really!)

    Thanks.
     
  5. steviem macrumors 68020

    steviem

    Joined:
    May 26, 2006
    Location:
    New York, Baby!
    #5
    Sysadmins have access to everything. Unless your non domain account uses FileVault...

    Also, just because we can are able to access everything, it doesn't necessarily mean that we go about reading confidential documents.

    The only time I need to delve into users' directories on a day to day basis is if we have reason to believe they've put loads of mp3s on the server (which they invariably do, and irritates the hell out of me!) and we have to reclaim the space. Hopefully we'll have 2TB storage when I can get the server redesign sorted, but at the moment, we only have 600GB :(
     
  6. corbywan macrumors regular

    Joined:
    Feb 4, 2008
    Location:
    Forest Grove, OR
    #6
    If a tree falls in the AD forest and no one is online to hear it, does it make a noise?
     
  7. mrmarsguy macrumors newbie

    Joined:
    Jan 2, 2009
    #7
    Thanks, that's what I thought, but I still don't understand how... since these directories are not on the server, but only on my local machine. (The server is used for shares, access to support tools and network printers). Since they are not using OSX server anywhere, and root user is disabled on my machine, and they don't have my local user account passwords, I still don't understand how they have easy access to my home directories, especially for the account that is not joined to the domain.

    I'm not so concerned about the responsible current staff digging around in my personal files -- I think they have enough to do as it is. It's more the general concept of maintaining some semblance of privacy vs. convenience. Similar to how there are some things I prefer to write in a sealed letter than on a postcard. It is unlikely that either will be read, although both can be, but it takes more effort to intercept and read the postcard. I figured this setup would be more like the "letter," whereas the home user account on the local PC laptop was more like a postcard. I'm also just trying to better my understanding of how this works. It is interesting to me.

    Too bad about the storage hogs. When I used to work on a shared RAID for graphics work, it drove me crazy to see half the storage filled up with "test renders" from two years ago, long-finished projects, etc. C'mon people, that's shared space! AND someone else has to clean it up...
     
  8. steviem macrumors 68020

    steviem

    Joined:
    May 26, 2006
    Location:
    New York, Baby!
    #8
    Well there is a setting in Directory Utility which allows you to specify the groups who have admin access. Its in the advanced settings. We use it to add in a group called MacAdmins to make it easier for our TAs to have root access to their MBPs. You could probably remove the administrator groups from there. You can also specify that you're the only person allowed to login (although the person who binds you to Active Directory will be able to login).

    Perhaps turning File Sharing or Windows File sharing off will help. But as soon as they physically log in, thats when they will be able to see stuff.

    When you bind the computer, it's the computer and its contents. Not just the user in Active Directory.
     
  9. mrmarsguy macrumors newbie

    Joined:
    Jan 2, 2009
    #9
    Hmm. I don't actually see any group admin access options in the advanced settings of Directory Utility, but that's okay -- since binding the computer binds the computer and its contents, not just the user in Active Directory, then I assume the group admin access settings would be the same for the whole computer, not just that one user account. I see the same workgroup and NetBIOS name in network settings, under either account. And I don't want to make the IT folks unable to administer my computer... that would make them very displeased I am sure!

    I must admit I am still confused by this but I think I need more of an understanding of Active Directory, WINS, OSX account privileges and more to really grasp it. My guess is that when we (the tech girl and myself) did the steps to bind the computer to the domain, the permission/access was probably granted/assigned at that point or something. Off to do some more reading.

    Thanks for the help.
     
  10. pandakun macrumors newbie

    Joined:
    Jan 5, 2009
    #10
    AD forest binding & privacy

    Hi there! I run a small Mac group at our office, so here's my take:

    While your computer is bound to the Active Directory, like you said - all of your folders in your "home" on your Mac aren't being advertised (or, at least, they probably aren't) on same network. An administrator would need to either access your account via Remote Access (Apple's application for observing and controlling computers remotely), via the terminal (ssh), or similar. They'd need to actively access your computer to look at your files, and as others had mentioned there really isn't any desire on the admin's account to do so unless there's suspicion of some sort of virus/hacking or they're providing some sort of troubleshooting with you at the same time.

    From an admin's point of view, your computer should only have work-related material on it. This is so in case anything goes up in smoke, all that's lost is business data and nothing of personal importance to you. Especially if it's a laptop. In the PC world, this is also to prevent the spread of viruses, as they have no idea what your home computer/network's protection is like, or the stuff you may be downloading in your personal interest (internet greeting cards, etc)

    By "should", that means "rarely enforced" - personally, I don't care if you have photos of your kids, soccer practice schedules or what have you on your computer. Pirating of music, illegal content, porn, etc. I'd care about - and we have had that problem before, and usually we don't find out about it until that person quits/is fired - but mostly we care about what's on the server shares.

    If you really want to keep your documents away from the possibly prying eyes of your admins, buy yourself a small external hard drive or USB flash memory device to keep your files on. That way you can access them when you want and take it home with you, and if you suspect your system's been looked at just unplug the device. Some offices may have policies in regards to bringing in removable storage (for security reasons), so check with your IT department first. However, that'd be the most effective way to ensure your privacy while not causing havoc with the IT department who'll wonder why all the directory access settings have changed.
     
  11. garybUK Guest

    garybUK

    Joined:
    Jun 3, 2002
    #11
    Some enable Home syncing, i believe Windows 2003 Enterprise had file & print services for Mac / Unix which would enable them to sync your home directory upto the server when you are connected over VPN or to the company network.

    I have tried using my Macbook Pro at work but it's just a windows world (on the desktop) :(

    I have a HP Work Laptop and the company policy is that the C: drive on laptops is Read Only to EVERYONE so there's no loosing laptops with sensitive data on them, your my documents it's sync'd but encrypted. And we don't have access to install anything :( of course if you know the right people you can get the admin username / password :p
     

Share This Page