[Patrick Gallagher]

[QUOTE][u]Quote by: FritzsCorner[/u][p]Just a quick follow up. I was able to replicate the issue again and I think I narrowed down what I did to make this happen. During my first couple attempts at creating an image I had opened the ASROutput folder in details mode so I could see the file size change in order to verify that the image was being created. After the image was almost complete, finder would freeze. I went back and ran instadmg again, this time without the ASROutput folder open in finder and it worked like a charm. When I tried it one more time with the ASROutput folder open it froze up again as I had expected. I doubt anyone else has seen this issue as there really is no reason to have the ASRoutput folder open but just thought I would post this in case there is another newbie here that has been having troubles.[/p][/QUOTE]

This may not be an InstaDMG issue. IIRC, this happens when creating an image with SIU too (or at least it did a few years ago when it was NIU).

[Patrick Gallagher]

[QUOTE][u]Quote by: bentoms[/u][p]Cheers Patgmac.. I know we could go with the “Magic Triangle” but, I want to try & manage all user attributes via one point.. also I want to see if this method bypasses some of the limitations that are imposed via the Magic Triangle..[/QUOTE]

User attributes are always at “one point”, even with a magic triangle. The users reside in one place. Using OD would allow you to apply MCX to OD groups (which would contain AD users or groups) and to computer lists. Which limitations are you referring to?

[QUOTE]Seeing as I’m also now the AD Admin it seems like a good time to test the AD schema extensions… just wondered if there is anything to look out for before I test it..

Who knows that damn thing may not even work & if that’s so then…. Magic Triangle here I come[/p][/QUOTE]

Schema mods are usually very frowned up by AD admins because of the potential to seriously fubar the AD. If you do want to explore this route, take a look at shukwit.com which as a script for doing the schema mods but it’s pretty old and I’m not sure if it still works for current Win server and Tiger clients. Apple has an “AD_Best_Practices_2.0.pdf” that lists all of the schema mods that would be needed but I can’t seem to find it online now. It used to be at apple dot com slash itpro slash articles slash adintegration. I have the pdf if you would like me to send it to you.

[Patrick Gallagher]

You probably don’t need to ask the Windows admin. Just do an “id [i]shortname[/i]” for a domain user and count the # of AD groups they are a member of.

[Patrick Gallagher]

I would configure the Mac server as an OD master and specify the location of the home directories in AD. Your Mac server will still be a “domain member”. See the AD-OD Whitepaper on this site for more info.

[Patrick Gallagher]

If I’m not mistaken, the “native” AD domain may be the problem. It’s my understanding that native is to be used when all servers and clients are 2k3/XP/Vista which basically beefs up all the security settings (digital signing and such) to a level that only 2k3/XP/Vista can use and any legacy OS’s would be left out. OS X would be considered a legacy OS since it does not support all the signing abilities of 2003 Server.

[Patrick Gallagher]

The problem could be if the user(s) is a member of 16 or more groups. This was fixed in 10.4.8 Server.

I can’t post links here, but 2 bullet points in the 10.4.8 update of interest:

– membership and permissions issues when Windows users are in more than 16 groups
– login and authentication in Open Directory and Active Directory environments

I have a similar setup, all users primary GID is domain users and I restrict logins in certain labs to the members of that lab and it works fine for me with 10.4.8 server. I don’t recall if I was restricting logins when we had 10.4.7.

[Patrick Gallagher]

[QUOTE][u]Quote by: option8[/u][p]that’s kinda what i’ve figured. i was hoping some intrepid sysadmin that’s handy with xcode would have come up with something automated by now, but the number of permutations is probably too many to be bothered with.

[/p][/QUOTE]

This would require a huge amount of work to maintain a database of even the most common apps and where those #’s are stored.

[Patrick Gallagher]

I dunno. I never tried blocking updates at the application level like that. I wonder if you add the update to the “Ignored” list in the /Library/Preferences/com.apple.softwareupdate.plist what will happen?

Do you run your own SUS? If so, what happens if you don’t make that update(s) available? I would hope those Apple apps would honor that for it’s source of updates.

[Patrick Gallagher]

Every app is going to be different. Some will clearly store it in a plist somewhere in /Library/Preferences or /Library/AppSupport/company/whatever, others will do everything they can to hide in fear of it being pirated. I don’t know of any automated methods of getting this info short of something like Landesk. Getting the list of installed software is easy with ARD, but serial #’s, you may be able to use the “defaults” command for some apps if you can figure out which plist(s) that info is stored in.

[Patrick Gallagher]

I’ve had it happen a couple times. Uncheck the box to “mirror” the update and save. Then recheck the box and it will re-download from Apple.

[Patrick Gallagher]

If you can figure out which plist is storing that preference(s), you can add it to the “Details” tab of workgroup manager > Computer Accounts > Preferences. It should still apply to all users.

[Patrick Gallagher]

[QUOTE][u]Quote by: ToddJob[/u][p]Do ARD Clients have access logs? If so were?

I looked around and could not find them. They were not in any of the other logs that I could find.[/p][/QUOTE]

Nope. Glaring omission for accountability IMHO.

[Patrick Gallagher]

[QUOTE][u]Quote by: ceciltsai[/u][p]
[code]
ADPlugin:Changing Password for User [email protected] as [email protected]
[/code]
[/p][/QUOTE]

I “think” it may be trying to change the computer account password. I’m not sure if that’s possible (or necessary?) when binding but would usera$ happen to be the computer name it is binding with plus a $? Was there a pre-exisiting computer account in AD already by that name?

If it is the computer password, this may help:
https://www.afp548.com/article.php?story=20061217110502523

[Patrick Gallagher]

I’m not sure about Bluesocket, but here’s instructions on joining an 802.1x network on login.
[url]http://adminselfhelp.com/?p=50[/url]

—
Patrick Gallagher
ACSA, RHCT, A+, Network+

[Patrick Gallagher]

I’m having this problem as well. Are you bound to AD as well? It appears if you bind to OD, it makes unwanted changes to /L/P/edu.mit.kerberos. Makes OD the default realm.

The only drawback to not binding appears to be that you have to add the computer record to WGM afterwards (or before, it doesn’t matter). I now carry around a copy of WGM on my thumbdrive so I can the computer to OD after putting it on the domain.

[Author]

Posts