AD ou delegation

[kvichak]

Hello,

I have an ad forest/domain in which I am using ou delegation to control access to computers and member servers.

What I want to be able to do is to add a mac os x (10.3) client or server to a “computers” container within an ou (which I have delegated administration).

The problem —

OS X clients allow any domain user to authenticate, even users that are not members of the “Domain Users” group.

I want the OS X client to ONLY allow access based on policies
or at the very least group membership established by the ou administrator.

Any ideas?

Thanks

[kvichak]

Thanks for your reply.

My follow up question would be that the list of AD users and their group membership is fairly dynamic 7K users.

If I use OD group populated with AD users, isn’t that a manual process? If I could use an OD group that used an AD group for its membership, would that work?

Can you point me to any information to create the “login” hook to check AD group membership for login access control?

Thanks!

[kvichak]

Thanks!

[sketch]

I have been told that 10.4 (Tiger) will have the kind of access control you’re looking for.

I didn’t have time to wait for 10.4 which is why I wrote the script that’s posted in another thread, however that can only descriminate who’s a member of a specific local group or not.

[kvichak]

So has anyone tried this with 10.4 yet or seen any documentation for this?

Thanks

[jaharmi]

I’m interested in this, and also having the ability to allow/deny users from logging in via other means than the loginwindow. In other words, I want the Open Directory allow/deny access lists to work with all authentication methods.

Has anyone tried this? My only attempt has not worked out well, but my test Open Directory is not terribly well set up yet.

[Author]

Posts