Limit login on Server to AD Domain Admins

[emailman]

I have bound my Xserve (10.3.9) to our W2K3 domain having checked “Allow administration by” in the AD config leaving the default groups (Domain & Enterprise Admins), but when I log in to the server using a Domain Admin account, I am not able to administer. I launch WGM (authenticating with a local admin) and my Domain Admin account (as well as the others) does not have “administer the server” checked.

My goal is to limit login to the server to local admins and the AD Domain/Enterprise Admins preventing login by other AD users. Any help is appreciated.

[arekdreyer]

[QUOTE]when I log in to the server using a Domain Admin account, I am not able to administer[/QUOTE]

This just refers to local administration, like being able to run Software Update or change system preferences that affect more than the currently logged in user.

I suppose you can’t lock the server in a room that non-admins don’t have a key to?

[emailman]

I rebooted the server and connected WGM and noticed that now the admins DO have “administer this server” checked.

However, the program will often spin its wheels and the credential cache and/or WGM will often peg the processor and resource usage soars. I don’t know if it’s due to the quantity of AD users–it’s pulling over 7,000 entries. After talking with an Apple rep, he said 10.4’s AD integration works much better than 10.3’s. So he sent me a 60-day demo of Server. I’m going to give that a shot.

(FYI: Our server room isn’t locked during the day. Any offenders simply get taken out back and shot. We have a clean record so far. :>)

[Author]

Posts