[dewats7]

I’m not even going to try to go down the path of having OD try to do group policies for WIndows machines. I want to run AD and OD side-by-side, each system managing their own computers. My issue is where the user accounts reside. There’s tons of information about how to have OD pull and authenticate users existing in AD. I can find very little on how to have AD pull and authenticate users existing in OD.

[dewats7]

I am familiar with and have successfully implemented the “magic triangle” in a test environment. In my production environment, I already have 13,000 Open Directory accounts and an NT 4 domain controller for about 100 people. I would like to get rid of the NT 4 and possibly upgrade to AD. But I want the opposite of what I’ve seen so far.

I would like to have all user accounts in OD and have AD manage preferences and group policies for the computers. I’ve looked into pGina but this seems to only deal with authentication for logon purposes. It does not seem to be capable of allowing me to add users to windows based groups for security controls on services. I’ve read information on linking Kerberos for cross-realm authentication but it seems that it still requires a user accounts to exist within the AD domain (though I could have misinterpreted what I read – haven’t tested it yet).

Any insight would be great.

[Author]

Posts