SwissTony

iTrader: (19)

Got a very large corporate client that is primarily windows based (though they are starting to roll out Lotus Notes in a big way). Have a few departments that are mac based and this scenario of the macs using the network for web and email access via a proxy server has been okay for now. No need to activate the AD facilities of the macs in any way until now.

They are having a big expansion on the macs side and need us to implement their security policies on the macs almost mirroring the windows desktop environment in terms of lock downs, browsing etc.

This would also involve AD and how the macs can link to the password policies they have in place etc.

Now, the question is, I have to prepare a document over the next few days that shows how best to link the macs into the AD and also how the macs can come under the yoke of their strict IT policies. So I need your help

Anyone have any links to documents or have indeed written one that I can lean over your shoulder and blatantly crib
I would be most grateful and as a way of saying thanks will offer a large virtual beer (see below) for the person who helps me out

Markus

Ah, Mac integration into a Windows environment. A subject I know a little bit about as it's what quite a few of our clients do.

Have a look at this for starters, specifically the portion about getting OS X client to authenticate against an AD server. This would allow them to use their AD login to login to the Macs or PC, and it should be bound by the same policies that the PC would use.

Do the PC's have control over what applications can be run? If so, then I'd assume this is something they would want on the Macs as well? In that case you'd be looking at adding MCX settings to the user/group/machine records, and typically, using OS X Server's workgroup manager (bound to the AD domain as well) would be the most simple option to do this. However, it might mean having an OS X Server. I think there is/are a product/s out there that would allow you to do this on a PC, without the need for an OS X Server, but I could be wrong. I'd need to have a search, which I'll do for you in a little while.

SwissTony

iTrader: (19)

Ah I knew you would be along shortly, the lure of that beer was too much to resist

Currently they get all their mail via the exchange server but are considering getting an OS X Server (XServe) only if it can
a) be integrated into their current IT infrastructure
b) comply with IT security user/desktop policies

Now obviously they have been informed that the server can do all this and more, it is just getting it down in words in a format that the enduser and IT dept understand as they are all mac illiterate.

Oh and then to throw things into the mix, they are moving away from Exchange soon and into Lotus Notes. Now since IBM have brought out the latest version to include and support macs it is a viable option. Just one we have to get our heads around before rollout

darlodge

I've implemented a Mac OS X Server and 10 macs into our W2K3 AD infrastructure. I've got loads of links at the office but I'm on a different site at the moment.

All of our users log in with their Active Directory account and then there is a trust between the Apple Realm and the Kerberos Windows domain.

Computer and User group policies will not propergate on to the Macs so I locked our Mac Workstations using a computer policy on Apple's Open Directory.

Darren

SwissTony

iTrader: (19)

Top man Darren. I would be most grateful if when you get the time you could whizz over some gumf for me to work with.
BTW did you get the proxy authentication issue sorted ?

Markus

Darren,
Could you give me the run down on what you did? I'm going to assume it's something like the following:

1) In Server Admin on OS X Server you went into the OD Service and set it to the option, umm, think it's "connected to a directory system"

2) Went into Directory Utility and added an entry for the AD server you wished to bind the server to.

3) Went into Workgroup Manager, changed the node from "Local" to "Active Directory" and then you picked a user/group, clicked the "Preferences" option and then, for example, went into "Applications" and configured what apps they could use.

You then, on the clients, simply bound them to AD, and got the users to login using their AD account, which, a) logged them in, and b) provided the security policy as per your definitions in workgroup manager's "Preferences" option.

The reason I ask is that whenever I've tried the above, I always get an error when I'm trying to save the changes to the user in workgroup manager. It's probably my AD Server more than anything, probably DNS as I don't think I've got that setup quite correctly.

mike1210

On Leoaprd I bound my server to AD then set the OSX server as an Open-Directory master, apparently OSX knows at this point you are running a dual setup and makes the appropiate changes.

With tiger I used to use nested groups in that I made an open-directory group and nested it to an Active Directory security group

hodgy0_2

for starters I know **** all about Macs

but from reading this thread are we talking about two slightly different solutions

1) seems to be the intergration of Mac desktops into an Windows LDAP authentication domain (to use generic terms) in oder to take advantage of "group policies" etc"

but still keeping 1 LDAP directory

2.) the intergration of a MAc LDAP directory to a Windows based one using trust etc

or am i barking up the wrong tree (very possible)

Markus

When it comes to "Group Policies" it depends what you're looking at. Password policies and things like that should be respected by simply binding the OS X client to the AD domain. If you're talking about control of what apps can be run, then that's where things get "interesting" as from what I understand, you could, via group policy in AD, specify, for example, what apps can be run. This will NOT be applied to a Mac, and that's where the possible inclusion of an OS X Server comes into play, as you'd use Workgroup Manager to configure the MCX settings, which is what allows you to control app launching and other things.

Basically the MCX settings add items to the record for the user, so if we're bound to an AD server, you're essentially adding information to the users LDAP record (as AD is essentially LDAP). When the mac logs in, it will read the MCX data from the user record and apply it.

hodgy0_2

So as I see it -- it depends want functionality you want from the Mac integration

simple single sign on and respect for password policies is relatively straightforward, but client control thru AD group policies would not work

to achieve that you need an OSx server

So MCX settings (supplied by the Mac Osx server) = the ADM settings in group policy (which only apply to Win OS’s)

Markus

Yup, simple sign on and password policy stuff is really a case of going into Directory Utility / Directory Access on the Mac and setting up the Active Directory plugin that's in there. Reboot (well, you don't really need to, but it's usually best to do so) and then try logging in using your AD credentials and you should find you'll get logged in.

Yes, you're pretty much spot on with the MCX = AD Desktop Lockdown Policies and that you need an OS X Server to add those items to the user's AD record.

I know a fair bit about how MCX works, and it's essentially just putting xml data into the user record. The key point is that you need to know the layout structure for the XML (if you've ever seen property list files on OS X then you'll have an idea of how things are structured, I think it's similar to normal XML type files though) for MCX, and you can't guess what the keys/strings would be. That's where Workgroup Manager comes into play, as it provides a GUI for adding this.

SwissTony

iTrader: (19)

Darren
If you get the time could you send over those links you talked about. Just need to finalise some documents for the client

darlodge

Sorry Swiss, I totally forgot
I'll have a search and get back to you.

Markus, I'll also answer your question.

SwissTony

iTrader: (19)

Cheers darren

SwissTony

iTrader: (19)

Anyone ???

darlodge

Sorry forgot again

This is the best guide I could find from Apple - Apple - Business - Mac Solutions - IT Solutions

General websites I used for finding answers
Special Report: Active Directory Issues with Mac OS X Leopard
OSXFAQ • View forum - Mac OS X Server

Used this website for Kerberos logging and problem
Extending and Troubleshooting Directory Services


I also have a few PDF's that I downloaded that you are welcome to. One is from Joel Rennich from afp548.com. The one from Apple (Leveraging_AD_on_MOSXS_2.0.pdf) is probably the best and had the best advice and tips.

I admit the whole process was easier than I thought. I had never used a Mac of any kind and then 6 iMac's and an XServe landed on my desk. I had the whole lot working in 2 weeks. It took me longer trying to workout how the **** the OS worked!

Darren

SwissTony

iTrader: (19)

top man

I shall send you a pm with my email addy for the pdf's

appreciate all the help