MCX Settings from an AD Domain Member?

[bentoms]

Hi guys,

1st up thanks for all the info in the past it has been really helpful, but I need your collective experience again!!

So, I’ve started @ a new place & here config is as follows:

DC for authenticaion & Exchange 2k3
OS X X-Serve that’s a domain member & file server 10.4.6
Bes Server 2k3
SQL Server 2k3

The client base is 65 Macs & 5 Pc’s…. 😉

Also, I manage them all….:D

So, what I wanna achieve is MCX settings (incl. PHD’s) for the Mac Clients… PHD’s for hotdesking isn’t needed, just DR.. So one MCX group (or computer group) should be fine, trouble is with the X-Serve being a domain member I’m guessing that it cannot apply MCX settings?

So, If i wanted to apply MCX settings what option would you guys choose:

Extend the AD Schema?
or
Set the X-Serve as an OD master…. (magic triangle)…

Also, what are the pitfalls of extending the schema (once done sucessfully)…

Cheers in advance!

[Patrick Gallagher]

I would configure the Mac server as an OD master and specify the location of the home directories in AD. Your Mac server will still be a “domain member”. See the AD-OD Whitepaper on this site for more info.

[bentoms]

Cheers Patgmac.. I know we could go with the “Magic Triangle” but, I want to try & manage all user attributes via one point.. also I want to see if this method bypasses some of the limitations that are imposed via the Magic Triangle..

Seeing as I’m also now the AD Admin it seems like a good time to test the AD schema extensions… just wondered if there is anything to look out for before I test it..

Who knows that damn thing may not even work & if that’s so then…. Magic Triangle here I come

[Patrick Gallagher]

[QUOTE][u]Quote by: bentoms[/u][p]Cheers Patgmac.. I know we could go with the “Magic Triangle” but, I want to try & manage all user attributes via one point.. also I want to see if this method bypasses some of the limitations that are imposed via the Magic Triangle..[/QUOTE]

User attributes are always at “one point”, even with a magic triangle. The users reside in one place. Using OD would allow you to apply MCX to OD groups (which would contain AD users or groups) and to computer lists. Which limitations are you referring to?

[QUOTE]Seeing as I’m also now the AD Admin it seems like a good time to test the AD schema extensions… just wondered if there is anything to look out for before I test it..

Who knows that damn thing may not even work & if that’s so then…. Magic Triangle here I come[/p][/QUOTE]

Schema mods are usually very frowned up by AD admins because of the potential to seriously fubar the AD. If you do want to explore this route, take a look at shukwit.com which as a script for doing the schema mods but it’s pretty old and I’m not sure if it still works for current Win server and Tiger clients. Apple has an “AD_Best_Practices_2.0.pdf” that lists all of the schema mods that would be needed but I can’t seem to find it online now. It used to be at apple dot com slash itpro slash articles slash adintegration. I have the pdf if you would like me to send it to you.

[bentoms]

Sorry for the delay but here’s my reply.

[quote]Schema mods are usually very frowned up by AD admins because of the potential to seriously fubar the AD[/quote]

I know but how many schema extensions are added when installing Exchange?

[quote]Apple has an “AD_Best_Practices_2.0.pdf” that lists all of the schema mods that would be needed but I can’t seem to find it online now.[/quote]

I’ve got it already.

[quote]User attributes are always at “one point”, even with a magic triangle. The users reside in one place. Using OD would allow you to apply MCX to OD groups (which would contain AD users or groups) and to computer lists. Which limitations are you referring to?[/quote]

The main issue with the Magic Triangle is that you cannot users direct as you can’t edit the AD LDAP, which means that you couldn’t allow one user access to a certain application etc… whilst not letting others without creating groups.

What I want to achieve is to be able to apply MCX settings thru WGM at a user level, by editing the AD LDAP. (like ADMITmac.. well kind of..)

So, Computer based settings (Directory Access, Login Banner, PHD syncing, network time, software update), then Group settings (mount points to dock & printers), then user (Applicatiom permissions when neccessary etc.. ).

[bentoms]

So Mactroll,

Can you please advise as to what the caveats are with this method? I’ve done the Magic Triangle before & so would like to know if in regards to client management this method has the same limitations or is it more along the line of ADmitMac?

Also… (big wish here 😆 )… whilst there is loadsa info regarding the Magic Triangle there isn’t a great deal on this method.. Is there a White Paper hidden on this somewhere that’s far more technically minded than the apple one?

[bentoms]

Hey MacTroll,

A dumb question: how do I find out who our apple rep is? Are they a US only thing?

I’m the IT Manager/Systems Admin here for a recently inherited network. I do have an ACDT but didn’t renew it :(.

What about the mods @ [url]http://www.shukwit.com[/url]? Are they still current?

[bentoms]

Right so after a frustrating few weeks on the phone to Apple trying to get the Schema script & trying in vain to use ADAM’s schema analyzer i’ve bit the bullet & created set things up using the “Magic Triangle” method.

So much for keeping it simple & in one place 🙄

It seems like the good old folks & Apple UK, don’t know about the script as they didn’t even know where the document was…

🙄

[Author]

Posts