Home › Forums › OS X Server and Client Discussion › Active Directory › Create Computer Groups in AD
We have recently extended our AD schema with the extensions sent to us by our Apple SE. We used the provided batch file to import the new schema. We are able to edit the MCX settings for any existing user, group and computer account. Just like it is supposed to work. The problem we have is, how do we create computer groups? We cannot create a computer group through Workgroup Manager, we receive the following error. How can we create computer groups and manage the MCX settings through Workgroup Manager?
eDSNoStdMappingAvailable error -14140
A coworker has recently been looking into this. He has a theory that the schema extensions aren’t properly flagging certain attributes of the computer group as required, and the lack of those attributes is causing headaches for WGM.
I’ll try to post again if/when we figure it out. 🙂
–DH
I actually just got there. After pouring through the schema changes, and looking at the mappings in the AD plist, computergroup does not exist.
There was a few minutes of incredulity, followed by the realization that this really is the case.
Any idea how the heck this got left out Joel?
From the response I received from Apple, they do not support schema extensions and are not looking at updating it anymore. They would like everyone to move towards augmented records. We looked into this but the requirement to import all our AD users stops us from using this. We have over 35,000 user records and the management would turn into a nightmare. We are unfortunatly going to have to setup a golden triangle setup.
Any updates to this?
We’re currently testing the schema extensions in our test lab. Like others, everything seems to work except for the computer lists.
I checked with workgroup manager in 10.4 and 10.5. 10.4 shows the Guest, Windows Computers, and All Computers lists, but will not allow me to create new lists. (Error message: Not Authorized. This action failed because you are not authorized to perform the operation. I’m logged into AD with Domain Administrator privileges…)
Workgroup Manager in 10.5 does not see any computer lists, not even the three defaults that display in 10.4.
Tried elevating my account to an Enterprise Admin and still not authorized.
Did you create the Mac OS X container at the root of the domain?
AFAIK, all computer lists are automatically added to the Mac OS X container at the root of whatever domain you are pointed at. If that container does not exist, or you don’t have the appropriate privs, you won’t be able to create the computer lists.
If you are in a multi-domain environment and authenticate to “All Domains”, WGM will attempt to create the computer list in the Mac OS X container located in your forest root domain.
At least thats been my experience. I can also add the WGM against AD has always been buggy for me. Random weird permissions errors don’t always accurately reflect the outcome of an operation.
In the case of computer lists, I sometimes need to type * into the search box to find the lists I created, after I was told they weren’t created.
–DH
A cheeky side note:
Hey guys, this is a facinating topic as I have an all windows network with a handfull of mac users and I would like to extend the AD Schema to support those macs (they only need simple management nothing to special) but I can’t find any good resources about how to actually extend the schema to do this. How did u guys get the info from Apple? Where can I get it? Does anyone recommend any tutorials or documents as I have no experince with working the AD Schema in any fasion?
Sorry for hijacking…
Jamse 😉
I’m having a similar issue, actually. I go into WGM, click on the “target”, select “ComputerLists” from the drop-down, and select “create new record” and I get a “Not Authorized” error (This action failed because you are not authorized to perform the operation). I should note that I received this method from the online seminar Tim Perfitt did on managing OS X machines with AD schema extensions. I should also note that this method worked successfully in the past, with the same credentials I’m using now.
I am, however, able to create a new computer list via dscl, using the same credentials. This is in a test domain we’ve got setup (2003 functional level), and I’ve got a Windows administrator looking at it right now. He mentioned that DNS isn’t exactly working properly on the server, and is looking into it.
So I guess my question is what does WGM use that dscl doesn’t that’d make this not work through WGM? I could see if WGM was using Kerberos, and maybe certain kerberos SRV records are missing from DNS…I don’t know. Anybody see this before?
Macleod,
You said: “[i]computergroup does not exist.[/i]”
I’m not sure what you mean by this or how to fix it. I’ve created a new test domain and extended the Active Directory schema, but I’m still getting the [i]eDSNoStdMappingAvailable error -14140[/i] error when trying to create a computer group in Workground Manager 10.5.5. Any suggestions?
> I’m not sure what you mean by this or how to fix it.
Joelfink,
It means that the computer group object that Open Directory uses has no analog in Active Directory. Workgroup Manager cannot create a computer group in Active Directory, and as you’ve noticed, the 10.5 version of WGM has no ability to create computer lists.
This creates a catch 22 that requires the 10.4 version of WGM to rectify.
As MacTroll states “So… you need to use 10.4 WGM to create computer lists.
10.5 introduced computer groups and that’s all 10.5 WGM will create. This wouldn’t be a problem except that the AD plugin only understands lists and groups. So create a computer list in 10.4 and then manage it with 10.5 WGM”
Its an unsatisfactory solution, but its the only one we have for now.
If you want a slightly more technical answer as to what is happening here, look at the error you are getting back. eDSNoStdMappingAvailable The Open Directory plugins use mappings to relate open directory objects (Computer, Group, User, etc) to remote directory service objects. In this case, the AD plugin cannot map the Open Directory Computer Group object to anything in AD because there is no mapping available. AD does not have a computer group object, nor does the standard group object work for OD’s computer groups.
You can see this for yourself in the ActiveDirectory plist file. In /Library/Preferences/DirectoryService/ActiveDirectory.plist -> AD Attribute Mapping Table you will notice there is a mapping for dsRecTypeStandard:ComputerLists, but there is no dsRecTypeStandard:ComputerGroups.
MacTroll told me that you could probably build your own computer group object in AD with enough know-how, but schema extension is enough of a trial without reverse engineering objects from OD. Even if you built it, and got the mappings working, there is no promise that an OS update wouldn’t wipe out the custom mapping. (The AD plugin does not support custom mappings for non-user objects)
The schema extensions and ds mappings do still contain the Computer List object though, so that is what is available to manage groupings of computers. Yes, they use MAC addresses and can’t be nested. Yes, a computer can’t belong to more than one group. They are imperfect, and a step back from the Computer Group object.
Hopefully the DS team can work to get the grouping of Computer objects fixed in some future OS release. I’d personally like to see the plugin handle computers in standard groups, like AD supports for windows clients.
–DH
Interesting thread. So in an AD only environment, with extended schema, the only way to manage computer lists is to (1) create computer list using WGM 10.4, then (2) manage these computer lists using WGM 10.5.
Is this supported by Apple? There was mention of AD schema extension not being supported by Apple. I see Apple providing written *and* online video seminars explaining how to extend schema, so I find that hard to believe.
Looking to do AD schema extension, and to use WGM to manage user/group/computer and computer list policies. From Apple’s recent (mid-2009) “Managing Mac OS X with Workgroup Manager and Active Directory” video, this should be entirely possible.
UPDATE: After doing some digging around, found you can in fact create Computer Lists in WGM 10.5. If you enable “Show all records” in WGM, then select “ComputerLists” from the drop down menu, click “New record”. Dismiss the record, then go back to the Computer Group tab in WGM and reselect the AD domain. You will see the “untitled_” computer list, rename and you’re good to go.
Don