Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Transition to Active Directory

Transition to Active Directory
Thread Tools
Richard Clark
Senior User
Join Date: Apr 2000
Status: Offline
Reply With Quote
Mar 16, 2005, 05:03 PM
 
Hello,

We're going to start having Macs validate through Active Directory. Each workstation has a super user account right now.

Is there a way that I can transfer the setting (i.e. how the dock is set up) to the new account that Active Directory will have? What we want to do is avoid having to reset up all the settings for applications and the dock when the user goes to their new account. Each Mac User is going to have to have a PC Account/Password created.

Any idea's, tips or tricks would be great.

Thanks in advance!
"Tough Little Ship" - Riker
"LITTLE?" - Worf after having the Defiant salvaged by the Enterprise (First Contact)
     
goMac
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status: Offline
Reply With Quote
Mar 16, 2005, 05:21 PM
 
Originally posted by Richard Clark:
Hello,

We're going to start having Macs validate through Active Directory. Each workstation has a super user account right now.

Is there a way that I can transfer the setting (i.e. how the dock is set up) to the new account that Active Directory will have? What we want to do is avoid having to reset up all the settings for applications and the dock when the user goes to their new account. Each Mac User is going to have to have a PC Account/Password created.

Any idea's, tips or tricks would be great.

Thanks in advance!
Make sure they're all running 10.3.8. I know 10.3.7 won't run with our AD domain here, I haven't tried yet but I have my fingers crossed for 10.3.8.

I hate to sound annoying, but why are you running the super user account on all the workstations, thats usually a bad thing. I'd get prepared for every reply after this from everybody else to note that also.
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
     
Richard Clark  (op)
Senior User
Join Date: Apr 2000
Status: Offline
Reply With Quote
Mar 16, 2005, 06:49 PM
 
Thanks for the e-mail.

We are running 10.3.8 on all workstations.

Having the single account for right now was for simplicity. We have one room where there are thee accounts on each machine and it is a big headache regarding permissions.

Also, the users don't have the Super User password to install software. Just I.T.

I've known for almost two years that we would be going to Active Directory. When they finally decided to start naming workstation and put a uniform system in place I made sure that there was one account for each workstation. It has worked well. But I"m very thankful we're going to AD.

Each user will have an "Letter" drive where they can store their data (which will be on a server). We can finally clean off the macs to where it is just the apps.

This is a good thing and I'm looking forward to it once it's complete!
"Tough Little Ship" - Riker
"LITTLE?" - Worf after having the Defiant salvaged by the Enterprise (First Contact)
     
goMac
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status: Offline
Reply With Quote
Mar 16, 2005, 11:47 PM
 
Originally posted by Richard Clark:
Thanks for the e-mail.

We are running 10.3.8 on all workstations.

Having the single account for right now was for simplicity. We have one room where there are thee accounts on each machine and it is a big headache regarding permissions.

Also, the users don't have the Super User password to install software. Just I.T.

I've known for almost two years that we would be going to Active Directory. When they finally decided to start naming workstation and put a uniform system in place I made sure that there was one account for each workstation. It has worked well. But I"m very thankful we're going to AD.

Each user will have an "Letter" drive where they can store their data (which will be on a server). We can finally clean off the macs to where it is just the apps.

This is a good thing and I'm looking forward to it once it's complete!
The last person who was here set up all the machines to be admined by the super user, and I'm actually trying to get the person in charge of comptuer rebuilds to stop enabling super user. If you want to control who can install software, make the end user account non admin, make an admin account thats admin, and don't bother with root. The super user can cause quite a bit of damage, even on accident.
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
     
Richard Clark  (op)
Senior User
Join Date: Apr 2000
Status: Offline
Reply With Quote
Mar 17, 2005, 10:11 AM
 
I need to clarify - we have on most Macs one account that is Admin. We have set it up so it's an Administrator account. I'm still having to make changes from my old boss having his name on the account. We're about 90% of the way there.

It's been hard and slow getting agreements on standardization. But we're getting there which really helps.

The next thing is to make sure this transition to Open Directory goes well.

What I'm concerned about is that I will have to go around to every machine and reset up their docks. When they log into their new PC account through AD the dock is the default for a new account. Any tips on how to transfer the settings to the new account would be great. Thanks!
"Tough Little Ship" - Riker
"LITTLE?" - Worf after having the Defiant salvaged by the Enterprise (First Contact)
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
Mar 17, 2005, 10:23 AM
 
Well, you can change the default settings is /System/Library/User Template. Use sudo to hand-edit the Dock plist, or set up a dummy user just how you want, then copy the files into the appropriate place. Make sure you change ownership & permissions to match the rest of the contents.

You can just prepare the plist on one machine, then use scp to push it out to a bunch of machines. I can help you with this if you're not Terminal-savvy.

I'm also quite sure that OS X Server & Mac Manager can handle this and a million other things easily, but I take it you don't want to make the investment.
( Last edited by Mithras; Mar 17, 2005 at 10:32 AM. )
     
goMac
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status: Offline
Reply With Quote
Mar 17, 2005, 03:09 PM
 
Originally posted by Richard Clark:
I need to clarify - we have on most Macs one account that is Admin. We have set it up so it's an Administrator account. I'm still having to make changes from my old boss having his name on the account. We're about 90% of the way there.

It's been hard and slow getting agreements on standardization. But we're getting there which really helps.

The next thing is to make sure this transition to Open Directory goes well.

What I'm concerned about is that I will have to go around to every machine and reset up their docks. When they log into their new PC account through AD the dock is the default for a new account. Any tips on how to transfer the settings to the new account would be great. Thanks!
Oh ok. Super user is different than admin.

If you can swing it, the best way might be to put up a second server running OS X running Open Directory. Have it use the accounts from the Active Directory server, and serve those accounts via Open Directory. Then you can control the OS X clients via Open Directory, and the dock settings should be fine along with everything else. You might also be able to rig it up so that the OS X Server creates a home folder for the user in that user's Window's share.

I'll get a bit more information for you. I was certified for 10.2 server so I'm a bit out of date.
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
     
goMac
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status: Offline
Reply With Quote
Mar 17, 2005, 03:11 PM
 
Originally posted by Mithras:
Well, you can change the default settings is /System/Library/User Template. Use sudo to hand-edit the Dock plist, or set up a dummy user just how you want, then copy the files into the appropriate place. Make sure you change ownership & permissions to match the rest of the contents.

You can just prepare the plist on one machine, then use scp to push it out to a bunch of machines. I can help you with this if you're not Terminal-savvy.

I'm also quite sure that OS X Server & Mac Manager can handle this and a million other things easily, but I take it you don't want to make the investment.
He wants to make sure the dock settings are stored for the user on the active directory system. I'm not sure that would work great if he didn't have another OS X server proxying.

He probably wants to integrate with his current active directory system which means he can't just simply move the whole thing to OS X server. Also Mac Manager is on the way out as it only works with Mac OS 9 clients.
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
     
Jellytussle
Dedicated MacNNer
Join Date: Jan 2001
Location: Badfort
Status: Offline
Reply With Quote
Mar 18, 2005, 03:16 AM
 
Are you planning on having network home directories? NOT just a 'letter drive' mounted on the user's Desktop, but an automounted home directory achieved with the AD plugin by setting 'localhome disabled' using the CLI tool.

If you are, then you will need to transfer each user's current local home directory to your server over SMB (to split forks correctly), and ensure that this is set as their AD 'homeDirectory' attribute (in the profile tab in AD users & computers), with correct privileges and sharing.

If you are keeping the home directory local to the Mac, and simply mounting their share at login (the default behaviour), then you need to bind the client Mac to AD, then (as root) change the user's home directory permissions to their network account (also changing the directory name, if necessary, to match their sAMAccountName). You will need to remove the local mac account, since Panther always searches for accounts locally first.

If all of this sounds daunting, pay someone to do it.
You see, my friends, pirates are the key. - thalo
     
Jellytussle
Dedicated MacNNer
Join Date: Jan 2001
Location: Badfort
Status: Offline
Reply With Quote
Mar 18, 2005, 03:20 AM
 
Originally posted by goMac:
He wants to make sure the dock settings are stored for the user on the active directory system. I'm not sure that would work great if he didn't have another OS X server proxying.

He probably wants to integrate with his current active directory system which means he can't just simply move the whole thing to OS X server. Also Mac Manager is on the way out as it only works with Mac OS 9 clients.
OS X server does not 'proxy' accounts from AD. You can join client Macs to both AD and OD, to allow management using MCX, but Apple do not support binding an OS X server, acting as an OD master, to an AD domain.
You see, my friends, pirates are the key. - thalo
     
Richard Clark  (op)
Senior User
Join Date: Apr 2000
Status: Offline
Reply With Quote
Mar 18, 2005, 11:55 AM
 
I appreciate all of the e-mails and information.

We do have an OS X server that we use for imaging. But our admins do not want to work with Directory Access/OS X Server. They want everything on their side.

Connecting up the Directory Access is going well. I've binded about 90% of our workstations.

About transferring preferences (i.e. Dock etc). It looks like I'm going to have to copy the user preferences into the new account. When a user logs into the computer an account folder is created. So the preferences from the Administrator account will be copied over.

The only thing is that it won't go with the user if they have to log into a different machine. It's starting all over again. But that shouldn't happen too often.

One of the nice things with AD is that we will have a "letter drive" available to store all files. The flip side is that once that is set up and in use I'm going to have to go clean up all of the workstations. I have ARD and may put some scripts together to help.
"Tough Little Ship" - Riker
"LITTLE?" - Worf after having the Defiant salvaged by the Enterprise (First Contact)
     
Mithras
Professional Poster
Join Date: Oct 1999
Location: :ИOITAↃO⅃
Status: Offline
Reply With Quote
Mar 18, 2005, 01:08 PM
 
1. Where do each user's preferences live currently?
I'm a little confused on this. The local user currently logs in as "Admin", is that correct? Or most have a different local account?

My impression is that you're saying when they log in for the first time via AD, a *local* account is created, and that this local account is a "fresh" account. If that's the case, you could indeed automatically copy the settings from the current local user to that /User Template/ folder I mentioned, so that the "fresh" account automatically keeps those same settings.

2. Under AD, what exactly is the mounting sequence?
per Jellytussles question, it sounds like you're not mounting a remote volume as the home folder per se, but just as an extra server they should save documents to.

When does this mounting happen? Prior to/concurrent with login, via a -LoginHook or the binding to Active Directory? Or after login, with a Login Item or somesuch?

If it's the former, don't you think you could replace either the entire ~/Library/Preferences folder, or some selected files, with a symlink to a folder in the user's mounted server volume? (Again, you could make this change in the /User Template/ folder, so that any new local user would keep the correct mapping.) That would take care of the problem of losing your preferences when you log in to a different machine.
You could do the same with the ~/Documents folder, to ensure that people save their work to the remote drive, rather than the local disk.

Lastly, if you haven't already, I'd ask around at http://www.macosxlabs.org ,which is a great resource with friendly people.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 07:10 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,