[bentoms]

Hi Costas,

I too would like the scripts but I can’t seem to get them off Apple UK.

Maybe one of the US readers happens to have a copy?

There is a site [url]http://www.shukwit.com/[/url] that has some scripts but they seem to be quite old & I don’t know if they are still applicable.

Regards,

Ben Toms.

[bentoms]

[QUOTE][

Hi! Many thanks for your reply. 😀

Before I try to explain a bit further what has been setup to this point my first question comes to mind when I look at the above quote. In the profile tab I told the AD server where the home folder is, i.e. on the OD server. This works. But should I also enter something in the ‘Profile Path’ box? If yes, what should that be?
[/QUOTE]

Hi Mr B,

Sorry I didn’t get back to you sooner but had an employment crisis! 😥

Anyways, the profile path is for Win clients profiles only & so doesn’t need to be changed for you Mac profiles.

(If you were using “Roaming Profiles” for your win profiles (READ: Portable Home Directories for Win users) then you would fill out this field).

Hope that helps!

Ben.

[bentoms]

Hi Mr B, Mr T here! 😆

Err anyways… I think you are getting you account types mixed up, here are the account types as I know them in Tiger (sorry haven’t used Leopard Server yet).

Network Accounts: Authenticated to LDAP server & hosted on a Server.
Mobile Accounts : Authenticated to LDAP server for creation & created locally so can be used off site.
Portable Home Directories: Authenticated to LDAP server for creation, created locally & on server with syncing so when in the office both copies are current.

(From the apple documentation on 10.5 I see that the accounts are now either: Local Account (normal), Network Account (as above), Mobile Account (same as portable home directories above).

Now if you have the ‘Magic Triangle’ configuration (again thinking Tiger), & you wish to use PHD’s then you need to specify the profile location in the Users Profile in AD under the Profile Tab in the Active Directory Users & Computers in the Home Folder section.

You then add the Mac Users from AD to the OD group for MCX settings or just the Computers depending on what is needed.

In my experience the above is true for Tiger, but I guess some of it is still applicable to Leopard.

[bentoms]

Is this the memberd cache?

I’ve read something about it but as of yet have not done it.

Is there a link to somewhere that details the cache that needs to be emptied?

[bentoms]

Hi guys,

This is now affecting my G4 Dual xserve after applying ACL’s to it’s connected XRAID, any update from apple for the ppc fix?

[bentoms]

Sorry about the late post but I found out what the issue was affecting our guys here.

The users that had this problem had there PHD UNC path pointing to a location that wasn’t accessible to them (even though they weren’t using PHD’s), so I cleared the UNC path as it was just for testing & all works fine.

Just weird that’s all.

[bentoms]

Right so after a frustrating few weeks on the phone to Apple trying to get the Schema script & trying in vain to use ADAM’s schema analyzer i’ve bit the bullet & created set things up using the “Magic Triangle” method.

So much for keeping it simple & in one place 🙄

It seems like the good old folks & Apple UK, don’t know about the script as they didn’t even know where the document was…

🙄

[bentoms]

Hi guys,

I am getting the similar issue with one user too.

We are running the “Magic Triangle” & as such we are using AD credentials for connecting to our Xserve & connected RAID.

All 70+ other users can mount the shares via AFP but not this one user.

I have isolated this to something with her account as I get the same error when connecting to the server on my Mac with her credentials too, (i.e destroy kerberos tickets, create a new ticket using her credentials, press k type in the server name press connect > Error -5000).

However, we can mount the same shares via SMB or CIFS using the same details.

We have deleted & recreated the AD profile but still no joy.

The error logs via Server Admin do not show anything.

The Access logs in Server admin just show:

[quote]IP 192.168.1.133 – – [19/Nov/2007:13:08:41 0000] “Login cstlouis” 0 0 0
IP 192.168.1.133 – – [19/Nov/2007:13:08:41 0000] “Logout cstlouis” 0 0 0[/quote]

The password logs do not show anything for the past couple of weeks….

I really am stumped…

[bentoms]

Hey MacTroll,

A dumb question: how do I find out who our apple rep is? Are they a US only thing?

I’m the IT Manager/Systems Admin here for a recently inherited network. I do have an ACDT but didn’t renew it :(.

What about the mods @ [url]http://www.shukwit.com[/url]? Are they still current?

[bentoms]

So Mactroll,

Can you please advise as to what the caveats are with this method? I’ve done the Magic Triangle before & so would like to know if in regards to client management this method has the same limitations or is it more along the line of ADmitMac?

Also… (big wish here 😆 )… whilst there is loadsa info regarding the Magic Triangle there isn’t a great deal on this method.. Is there a White Paper hidden on this somewhere that’s far more technically minded than the apple one?

[bentoms]

Sorry for the delay but here’s my reply.

[quote]Schema mods are usually very frowned up by AD admins because of the potential to seriously fubar the AD[/quote]

I know but how many schema extensions are added when installing Exchange?

[quote]Apple has an “AD_Best_Practices_2.0.pdf” that lists all of the schema mods that would be needed but I can’t seem to find it online now.[/quote]

I’ve got it already.

[quote]User attributes are always at “one point”, even with a magic triangle. The users reside in one place. Using OD would allow you to apply MCX to OD groups (which would contain AD users or groups) and to computer lists. Which limitations are you referring to?[/quote]

The main issue with the Magic Triangle is that you cannot users direct as you can’t edit the AD LDAP, which means that you couldn’t allow one user access to a certain application etc… whilst not letting others without creating groups.

What I want to achieve is to be able to apply MCX settings thru WGM at a user level, by editing the AD LDAP. (like ADMITmac.. well kind of..)

So, Computer based settings (Directory Access, Login Banner, PHD syncing, network time, software update), then Group settings (mount points to dock & printers), then user (Applicatiom permissions when neccessary etc.. ).

[bentoms]

Cheers Patgmac.. I know we could go with the “Magic Triangle” but, I want to try & manage all user attributes via one point.. also I want to see if this method bypasses some of the limitations that are imposed via the Magic Triangle..

Seeing as I’m also now the AD Admin it seems like a good time to test the AD schema extensions… just wondered if there is anything to look out for before I test it..

Who knows that damn thing may not even work & if that’s so then…. Magic Triangle here I come

[bentoms]

[QUOTE][u]Quote by: macshome[/u][p]Unless I’m missing something unique to your setup, setting access rights to a file share is just about having an AD login. As long as the user is in a group that has access to that share they should be able to use it just fine, no MCX needed at all.[/p][/QUOTE]

Yep you are missing something… 😉

I probably didn’t make it that clear…. but you answered my question with your first post but below is the config…

User john.smith is a designer & part of the D&R/Design group.

As such he will have access to all MACDESxx (asset tag named) Macs & all applications installed as per their requirements within the build: Quark, CS, as well as the apps set as standard for all Mac Users Office etc…

For Disaster Recovery purposes he will also be able to login to any Macs but he will only have access to the apps that he has a license for.

So, I will create a preset for MACDESxx users & MCX settings via group policy.

If john.smith requires an application that no others of his team have a license for I will add thew application to all MACDESxx Macs via ARD but only allow him to have access…

Makes sense?

[quote]As far as application blacklisting goes you could do that by group. Trying to use mcx to manage 7000 individual client blacklists is going to make your head blow off…[/quote]

There are only going to be 250 Mac Users tops…. & I will be migrating them on a team by team basis… so the workload will be distributed over time… also as all users currently log in locally that little Home Mover app will really come in handy!!

[bentoms]

Well, to be honest, a lot!!!

I work for a London Council with 7,000 employees & some 250+ Macs within that I manage.

Within this we have a SAN of 320TB (at the moment it is being doubled soon) & is a user needs access to a share they need to get the correct authorisation… then we (if they are a PC user auto-map as NW Drive to the share) but if I can manage the users then I can do this thru ADmitMac…

Also application licensing is an issue…. All Macs within computer group MACDESxx will have some apps on them… Now all users within the MACDESxx users team will have access to all the extra installed MACDESxx apps.. but when someone else needs to login (for Disaster Recovery) they may be able to see all of these apps but will not be able to launch them as they do not have rights due to a license not being purchased for those users…

Does that make sense?

[bentoms]

Ok I can mount the shares but realsied that nested groups do not inherit preferences… and the below confirmed this (from apple.com)

[quote]Mac OS X Server 10.4: Nested groups do not inherit managed preferences
Pages 25, 77, and 89 of User Management For Mac OS X Server 10.4 or Later contain incorrect statements regarding the inheritance of managed preferences for nested groups.

Nested groups are useful for inheriting access permissions, but only preferences from the workgroup selected during login (not any workgroups via nesting) are used for group preferences.

If you need additional management options for members of groups (or multiple groups), please consider adding additional management options at the User or Computer level.[/quote]

Ok so…. that last line:

[quote]If you need additional management options for members of groups (or multiple groups), please consider adding additional management options at the User or Computer level.[/quote]

Does that me I need some kinda Login Script? If so…. please could someone point me in the right direction.

[Author]

Posts