Managing Computer List’s Via AD

[Frank_T]

Hi everyone,

At work my area is looking at how to best integrate Mac’s into existing IT infrastructure in order to keep support costs to a minimum. One of the solutions is to push out MCX settings to all Mac’s via Active Directory by applying the Mac Schema to our domain. We currently have a test domain with the Mac schema applied to it which meets most of our requirements but have come across a limitation in managing computer groups with workgroup manager.

I’ve read and followed the instructions of “Workgroup Manager and Active Directory with Extended Schema Technical White Paper May 2009” to create ‘apple-computer-lists’ objects with ADSI edit which works as expected with computer-lists showing up in workgroup manager. (see below link for image)

[url]https://lh4.googleusercontent.com/_gKLJ5PTcPxY/TV8IS0r1-KI/AAAAAAAAAA0/Inzg2SUM4pQ/image001.jpg[/url]

The issue we have is that the object in active directory doesn’t show up as a normal security group if we create it with ADSI so we are unable to add new computer objects in the member’s tab, only workgroup manager is able to add computer objects to the group and update the ‘apple-computers’ sting in the schema when adding new computer objects to the computer list.

As you can see from the below screenshot we don’t have a members tab like we normally would in a security group in AD to add computer objects too but we do see in the attribute editor the computers that have been added with workgroup manager show next to the apple-computers attribute as a value.

[url]https://lh5.googleusercontent.com/_gKLJ5PTcPxY/TV8ITFIBLRI/AAAAAAAAAA4/8c2VQolUXkU/image002.jpg[/url]

In a small environment manually adding computer objects to these groups via workgroup manager is feasible but this isn’t practical when applied to a large scale of computer objects. We currently have around 700 Mac’s we manage with the long term plan to support many more in the coming years. Currently with PC objects we have batch files (and in future windows powershell) scripts that automate new computer objects begin moved into security groups they should fall under as they come online, making managing policies across departments easier on a group level . Since the objects that ADSI creates are not normal security groups in AD is there a way we can automate or change the schema to make adding new computer objects to groups easier to manage in a large environment? The solution can be on the Mac side with workgroup manager or in windows (preferred) as it’s currently done on our domain.

Keep in mind this only applies to security groups with computer objects. If we setup a security group in active directory and add user objects workgroup manager reads the group correctly and applies the settings as required to the members in that security group.

We are happy to use workgroup manager to apply the MCX settings to each group but we are looking for a solution to automate how new computer objects and existing ones can be moved into the required security groups as manually moving them with workgroup manager isn’t practical with the amount of computer objects we have.

Currently Mac’s in our environment are not bound to anything and management isn’t looking at replicating the AD directory in to OD since so many systems are already linked to AD and the magic triangle has it’s own bucket of issues. So the ideal solution is to get the Mac’s to play nice with AD as a means for us continue the justification of having Mac’s as an alternative platform in our environment.

Any help is appreciated.

[Frank_T]

Correct computer lists are not regular security groups. One of our admins has come up with a powershell script that will run on the domain controller and filter what we need in our OU’s and add only those objects into the computer-list string as needed which fixes the issue of automating the adding and removing of computer objects to the computer list since the script will run hourly.

My next issue is now getting groups within groups working and MCX applying the correct settings based on those groups. Such as a user object that has higher access level’s on a computer object that doesn’t so the user MCX settings applying over the computer settings at login, such as in a lab for example.

Reading the white paper there isn’t a explanation why we shouldn’t use a further attribute inside the apple-group class.

Currently the white paper on how to map the Mac Schema to AD lists only the following options should be selected in AD Schema Analyser.

apple-group
subclassOf: top
rdnAttId: cn
mayContain: apple-group-homeowner
mayContain: apple-group-homeurl
mayContain: apple-keyword
mayContain: apple-mcxflags
mayContain: apple-mcxsettings
mayContain: apple-user-picture mayContain: ttl

But for some reason they don’t include this attribute

mayContain: apple-group-nestedgroup

Which may allow workgroup manager see AD objects created with ADSI or normal security groups as computer groups since computer lists attribute was really only required for 10.4 and below as there was no groups for OD back then. Since 10.5 work group manager supports computer groups and even has a button to allow admins to upgrade computer lists into computer groups and I believe this is the attribute.

Keep in mind I need to test this in a VM as it’s a one way street with AD and making changes to it’s schema. Which is why it’s a risk to play outside of the whitepaper apple has put out back in 2009 about this. So i’m currently looking at how one disables or renames class’s and attributes in AD in the event their not needed anymore since deleting them is not a option.

And FYI for anyone interested 10.7 server has even more classes and attributes than 10.6 but it doesn’t change anything on the 10.6 OD schema but only adds to it.

So there are two outcomes to why apple hasn’t recommend using apple-group-nestedgroup

1. It doesn’t work and if applied will do some weird stuff to AD LDAP
2. They want to limit the functionality to as to not make Mac OS Server completely redundant (Magic Triangle anyone?) in the process since having the full support feature set of OS X Server’s LDAP in Active Directory would limit the appeal in setting up another directory when one can apply the same settings to end users with AD.

And who knows maybe the way apple is going with OS X server and killing the Xserve recently the whitepaper on what to import into AD for the schema may be updated to allow more options that are currently lacking and limiting it’s application on a large scale like what i’m trying to do.

If anyone has followed the whitepaper on applying the Mac Schema to AD and has done so and would like to share their story please do. Happy to read what you found once you applied it. How well it’s working and if there any any issues you would like to point out that people should know about.

Oh and as for reporting a bug I talked to an apple rep that we have as a contact who will forward that internally but I don’t have my hopes up high that they will notice that request since Apple’s focus these days is in a iOS direction 🙂

[BobbyJUK]

We have applied the schema updates to our production AD schema and everything is working as we would expect.

The only real limitation with it is the one you mentioned – Computer Lists rather than Computer Groups.

Without this functionality, the ability to nest machines isn’t available so limits flexibility and hinders scalablilty too.

It would be great to hear if Apple have any plans to add the the extensions they already provide in the future. A Computer Group attribute would be a welcome addition. As you say, the Xserve news definitely seems to point towards a server side (and maybe OD?) wind down.

Cheers,
Bobby

[Goldberg]

I’m not sure if this helps you but I auto add my Macs into a premade computerlist during the bind. The relevant code from my bind script is:

# Add Mac to the staff prefs computerlist
echo “Adding Mac to the staff prefs computer list”
computername=”$computerid$”
/usr/bin/dscl -u $userid -p ‘/Active Directory/All Domains’ -merge “/ComputerLists/staff prefs” apple-computers “$computername”
echo “Updated AD computer list”

[Author]

Posts