[cashxx]

Ok I am scratching the Augmented user……At Group level I am doing a mobile home and using the Preference Manifest Synchronization URL instead.

Working good so far, but having issues on first logout saying it can’t connect to the home. Makes no sense because its mounted and available.

[cashxx]

[QUOTE][u]Quote by: MrTips[/u][p]tell me about this mac management console that you say sophos offers. I can’t locate any information on it, and even a sophos rep I spoke with said that the management console is windows only. are you talking about something different from their sophos enterprise console?[/p][/QUOTE]

Looking on there website it looks like they did away with the mac console they had. It was very basic, but worked. That was a few years ago now though.

**UPDATE**

Well going back and found another page on there site I think I am thinking of the Mac “Sophos Update Manager”. You can basically setup a share on your server and point the clients to the share and set the settings for your clients and set the updates and stuff like that. Not sure if its the same thing or not, if it is it did the basic job of what I wanted. They have a demo….get the demo and try it out and look at the white papers. Best I could find for an all mac solution, but haven’t really looked around since then. We backed off because of the pricing was outrageous.

http://www.sophos.com/products/enterprise/endpoint/security-and-control/mac/

**UPDATE 2**
Just found this pdf mentioning about Sophos Update Manager on page 32.

Management control from either Mac or Windows platform
Sophos Anti-Virus for Mac can be managed either by using Sophos Update Manager for Mac or Sophos Enterprise Console (Windows). You do not need to run both of these administrator interfaces to ensure that Sophos Anti-Virus for Mac OS X is kept up to date.

Centralized management
Enterprise Console enables you to configure and manage anti-malware protection for Windows, Mac, Linux and UNIX computers, network-wide from a central point. Enterprise Console does require a Windows computer to be available and offers enhanced management functionality. If you are on a Mac only network, then Sophos Update Manager for Mac allows updating and configuration from a single Mac computer. It enables you to set automatic updating and choose how you receive email notifications. You can also determine how scanning will be implemented on Mac desktops and laptops, and enables full centralized configuration of the desktop settings

http://www.sophos.com/sophos/docs/eng/factshts/sophos-endpoint-security-and-data-protection-rgna.pdf

[cashxx]

All your clients are having issues from 10.4 to 10.6 with slow browsing??

If its just 10.6.x with SMB……look below……

http://www.macwindows.com/snowleopard-filesharing.html#112210b

Also with 10.6 you have issues with Streams if using SMB. Need to disable on 10.6 to have 10.5. and 10.4 clients see the same things. 10.5 streams can be enabled not sure about 10.4. I just disabled streams on 10.6 for now. See here.
http://support.apple.com/kb/HT4017

[cashxx]

I would say Sophos AV as well. I had a demo and its about the only one with a Mac Management console and stuff. The only thing is the license, they are expensive!

Symantec used to have a nice looking Mac Version with a nice looking Management Console, but it scared me a little. Script would kick off this script and then that script would kickoff another and it was a bundle of mess. Not sure if they have anything today or not.

I wanted a solution for the Macs only though, I wanted a server management console and client proteactoin and not many are out there that I could find. Sophos was about the only one.

[cashxx]

This started with Windows 2003 R2 server and this is what we came up with:

Mac OS X Permissions Problems with Window Server 2003 R2

If you re-push the permissions it should be fine. If you script folders to be made for users use icacls.exe instead of calcs.exe. There is an inheritance flag not being set for some reason.

I have been fighting Apple on this for a year or two now and no help has been given! Put in a bug report if you haven’t already please…..bugreport.apple.com.

ooops I just re-read the first post you are setting up shares on a Mac Server……..what I posted probably doesn’t pertain to that situation. If the share is on a Windows server then yes.

[cashxx]

I have this in my notes but have never really tried it. Hopefully it helps! I have always setup printers using the ip like drumgod1 said and it doesn’t ask for credentials.

PRINTSRV – is the name of our Windows 2003 Printer Server
Student8x11 – PS is the name of the print queue

lpstat -v – View printers
sudo lpadmin -p PRINTSRV_Student8x11PS -o auth-info-required=none

[cashxx]

Not sure but have you tried replacing the default picture of what is being set on the second monitor as the picture you want in /Library/Desktop Pictures

Like I replace the default Aqua Blue.jpg with your picture you want to show. And replace /Library/Desktop Pictures/Nature/Aurora.jpg with yours as well.

Not sure if that will work…..just an idea that popped into my head when i read your post.

-Dan

[cashxx]

This is going back a little ways with 10.5.x. But the issue still happens with 10.6.x and I think we found a fix! The quick fix was just to re-push the permissions on the users folder and it would fix the issue, but if you have hundreds of users its a pain and it would be nice to not have the issue at all!

When our users are created in bulk we do everything from the command line in Windows XP and now Vista. The admin has always used cacls to set the permissions, but found that using icacls that is new with Vista/Windows 2003 R2 I believe with different switches seems to fix the issue with 0KB file problems and errors when trying to copy files to a Windows 2003 R2 server in our case.

Today we found that when setting permissions using cacls it was missing the AI attribute or ACL or whatever, but when using icacls things seem to be fine and write the correct attributes:

Bad created with cacls \\server\share\userdir /e /t /g testmulti:c
User Account: Testmulti
D:(A;OICI;0x1301bf;;;S-1-5-21-510418058-1399010721-837300805-17731)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;DA)(A;OICIID;0x1301bf;;;S-1-5-21-510418058-1399010721-837300805-8532)(A;OICIID;FA;;;SY)

————————————–

Good created with icacls \\server\share\userdir /t /c /grant testmulti:(OI)(CI)M
User Account: Testmulti
D:AI(A;OICI;0x1301bf;;;S-1-5-21-510418058-1399010721-837300805-17731)(A;OICIID;FA;;;DA)(A;OICIID;0x1301bf;;;S-1-5-21-510418058-1399010721-837300805-8532)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)

We have finally found a fix we think by running the following commands to create a new user folder and set permissions for new students:
mkdir \\server\share\userdir
icacls \\server\share\userdir /t /c /grant testmulti:(OI)(CI)M

Still seems like a bug because when it started happening with Win Server 2003 R2, we setup a new test server and a fresh OS X client and doing permissions through the GUI we were able to reproduce the error. But it looks like using icacls will get us pass the issue hopefully now.

Thanks,

Dan Ball
PTI.EDU

[cashxx]

Snow Leopard has a new feature called “mcxrefresh”. Should hopefully do what you want! man mcxrefresh in Terminal.app or look it up in the Server User Management Manual at about page 260.

[cashxx]

I may be wrong but I think the easiest way would be to download the Server Tools from Apple and use Workgroup Manager and add the cached user to the local admin group like MacTroll said.

http://support.apple.com/downloads/Server_Admin_Tools_10_5_5

-Dan

[cashxx]

We just updated to Windows 2003 R2 in July and have had issues with Leopard clients trying to save to SMB shares. Have to go in and refresh the users permissions on the users folder and then things are fine. We were having issues with users logging in and smb shares mounting on the desktop as login items, they would show as folders with do not enter signs on them. That issue seems to have gone away though. Not sure if it was caused by the upgrade and it works itself out or what?

But I haven’t experimented with 2008…..if you are seeing issues please post bug reports to Apple to get them fixed at bugreport.apple.com

Thanks,

Dan

[cashxx]

Yea I can second the “Force home to be local” option….simply uncheck that and that fixes the issue. I put in a bug report and it was supposedly fixed in 10.5.3 but I am running 10.5.4 and its still not fixed.

I have a mobile account as well…I’ve already logged in once and have a mobile account….so i just unchecked the Mobile Account setting and the Force local home setting in the AD plugin and my account stayed as a Mobile account and also I can use the login items pane again. But I’m on my own un-managed machine in the office and stuff so I can do this without worry.

I did however just run across this…..if others see this post this may be of some use to someone. I haven’t tried it myself but sounds promising….Its called LoginControl 1.0 and basically is supposed to let you control your Login Items without using the Accounts Pref Pane.

http://www.versiontracker.com/dyn/moreinfo/macosx/35807

-Dan

[cashxx]

This is probably your issue………get a copy of Property List Editor, usually comes with Apple Dev Tools.

Edit the following Files:
/Library/Preferences/com.apple.dockfixup.plist
Go under like add-app and delete all the numbered items…..do the the same for the others like add-doc, etc.

/System/Library/CoreServices/Dock.app/Contents/Resources/English.lproj/Default.plist
Go under persistent-apps and persisent-others and remove the numbered items like above.

Doing so should blank out the dock……you may want to blank out the dock pref file you added to your user template too.

After doing those the Dock should be fully, the way it should be, manageable using WGM.

Dan

[cashxx]

Ahhhh…..maybe that is the problem then…..I missed that little piece of the puzzle about IPP connections can only use Kerberos at this point.

But yea when I login I get a ticket from AD and stuff so that seems to be working ok. I’m just trying to add a printer shared by Windows 2003 that shows up under the Default browse section which it won’t use IPP so that looks like the issue then. I didn’t see that. Hmmmm well that kinda sucks I wonder when that will get fully implemented!

Thanks,

Dan

[cashxx]

I thought this was working in 10.5.2…….I don’t have a 10.5.2 box in front of me right now but have you tried to add your domain in front of the username when it asks for credentials. This may be a work around for now.

One would think it would use kerberos credentials but I haven’t had luck in other builds but I thought 10.5.2 was working ok.

For example:

Username: domain.com\leoparduser

-Dan

[Author]

Posts