macintosh, Active Directory and Workgroup Manager

microsoft.public.win2000.macintosh - Microsoft Windows 2000


macintosh >> Active Directory and Workgroup Manager

by Michael Bumbalough » Fri, 22 Oct 2004 10:33:22 GMT

I have an AD domain setup with Panther clients joined to the domain
and authenticating with no problems. I installed a Panther server as
a domain member server to be used for file storage. Both Windows and
Mac clients can access this server shares with their AD credentials.
No problem.

Here is the issue. We are a school and would like to use Workgroup
Manager to manage the student stations. Workgroup manager shows all
the AD users and groups with out an issue, but every time I attempt to
use Workgroup Manager to set preferences on a Mac user, I get several
cryptic error messages and the changes aren't saved.

I think the problem is that Workgroup Manager can't write the settings
changes to AD. Does anybody have any ideas as to what I can do to get
Workgroup Manager going with out running two directory services?

Top

macintosh >> Active Directory and Workgroup Manager

by Paul Nelson » Fri, 22 Oct 2004 20:59:58 GMT


in article XXXX@XXXXX.COM , Michael Bumbalough at
XXXX@XXXXX.COM wrote on 10/21/04 9:33 PM:


You would have to change your Active Directory schema to get this to work.
The reason is that the attributes that WGM wants to save in the directory
are not in the schema. Changing the schema is non-trivial.

There is a way to do managed preferences by setting up Open Directory on
your server, then creating managed groups in there that contain active
directory users. However, you can't set managed setting on an individual
user account.

You could look into ADmitMac, which will handle managed settings without
needing to change your schema. It does not require OS X server to do this.
http://www.admitmac.com

You will find a lot of info on Apple's Mac OS X server mailing list:
http://lists.apple.com/mailman/listinfo/macos-x-server

Paul Nelson
Thursby Software Systems, Inc.



Top

macintosh >> Active Directory and Workgroup Manager

by Michael Bumbalough » Sat, 23 Oct 2004 12:12:18 GMT

On Fri, 22 Oct 2004 07:59:58 -0500, Paul Nelson < XXXX@XXXXX.COM >



Thanks for the input. I looked at your product. Unfortunately, if I
understand your licensing rates, it would cost us 30 grand to
implement it at one school. This is way too expensive for us to
consider. I will continue to look for other options.

You were able to confirm my suspecions on what was wrong with the
setup that I have so thanks for the help.

Top
Similar Threads

1. Workgroup Manager: screwed up home directories 

Don't know how I got there.

But workgroup manager, working with the LDAP server has decided to
change the home directories of any user I have edited by adding 2
entries that are wrong, cannot be edited nor deleted. (as if it was
applying some uneditable template to them).

When I try to login to my account via a serial port or telnet, I get
placed in /99 instead of /Users/jfmezei (which isn't even listed in the
Workgroup Admin !).

When I try to login on the GUI console, it seems to accept my password
(it says Logging in after having grown the login box) but after, it
starts to shake the box and refuse to log me in.

I can login on the one account that was created locally (aka: not on the
LDAP side of things).

I was confident enough that things worked with my account that I started
to add more accounts to transfer them from my VMS boxes. And then all
hell broke loose and not only are the new acocunts broken, but it also
broke my own account !!!!

Logfiles don't provide any hint of a problem.

My fear right now is that I may have to use DiskUtility from the DVD to
zap the system disk and start from scratch.

Or can anyone tell me what files need to be deleted to completely remove
that open directory/LDAP/kerberos config so I could start that one from
scratch ?

I know the above is vague. But I am quite tiured and frustrated. Just
went though hudreds of pages of the Apple "Leopard Server Security
Config" manual with 90% of it related to how to disable something on the
GUI, very little about actual security.


I *despise* system management software that prevents me from doing what
I need to do.  As a system manager, I should be able to delete any
record/attribute or edit them. Arghhhh !

So far, I am not impressed with the OS-X security. There is a whole
chapter on "intrusion detection", but it is just one page and points to
a non existant web page on the apple web site. ! But I did find out in a
previous chapter that I need to install additional auditing software to
audit log files.

Apple still has some ways to go before it even approaches the
comprehensive, YET SIMPLE security of VMS.

I realise I am new at this,and I should really give it more time to
better learn it. But when you are not even allowed to fix stupid home
directiry definitions for a user, that does not inspire confidence.

What if I had 10,000 users that all got screwed when I tried to create
the 10,001 and the systenm won't let me fix it ?

2. migrating workgroup computers to Active Directory on Win 2003

3. compatibility between W2K Active Directory and W2k3 Active Directory 

Are there any known troubles to change a Roule Master from 
a 2000 DC to a 2003 DC.

Thanks for your Help
with best regards

Dani

4. windows for workgroups 3.11 compatibility with Windows 2003 Active directory

5. Moving form Workgroup to Active Directory Domain 

Hi all

I have set up a new domain using Windows Server 2000 with 
active directory.  i have set up the user accounts and 
given the rights and security  settings.  i can add the 
client computers (all windows 2000 Pro) to the new domain 
and I can log onto the new domain with the new user 
accounts.  But when i try to transfer the profile from the 
local user to the new domain user the settings won't 
take.  I must change the local user rights to 
administrator for Explorer/office/ mail and all the other 
programs to work.  I can't then reduce the rights as the 
software will not work.  I also tried changing the 
registry settings to point the old profile to the new one 
but again need admin rights?  Any suggestions

Thanks in advance

Joe

6. question on upgrading from active directory 2000 to active directory 2003

7. Active Directory, Active Directory Federation Services and Microsoft Integration Identiy Server

8. From Active Directory to Stand Alone Workgroup Server