MAC / AD integration / Security

[mtaggart]

I have recently implemented a Mini Mac Server and binded OD with AD.

I have end users using MAC’s to login using their AD user account. The problem I’m facing is, those end users are not able to do any of the following:

Manage their print jobs
Run Software Updates
Open documents from SAP – it’s trying to create a temp directory on their local disk and being denied

If I give the end users Admin rights or supply them with the Administrator password those same items all work. We’re not going to do either of those things, but would rather fix the issue without giving them Admin rights.

How can I allow the end user to use their AD logins and security associated with them to allow them to do the 3 items listed above?

On a side note – is it possible to push AD Group Policy to those MAC’s/End Users?

Regards,

Mike

[kennyj]

In order to manage print jobs, you can add the everyone group to the _lpadmin group on the local directory… you can write a simple script to do this on all your machines.

Non-Admin users should probably not be running their own software updates. Please look into ways of automating this, or managing it with a management suite. We use Casper Suite here and have had great success. You could allow your users to update their machines if you want them to do it through the command line by configuring /etc/sudoers with the visudo command. You will most likely need to write a quick script that calls sudo to run softwareupdate.

As far as opening documents from SAP, where does the application want to place this temporary directory and what do the permissions of this location look like?

There are a lot of great scripts included with the Casper Suite resource kit that you can use even if you don’t have the suite. Check it out at jamfsoftware.com

[Author]

Posts