[tlarkin]

Google search for a binary app called “duti” which will allow you set set default apps to users for web content and pdf files and such

[tlarkin]

Are you set to sync the whole home directory or just certain folders?

[tlarkin]

So you are doing authenticated binds to OD then? You must do an authenticated bind for the computer name to show up in the computer lists section of WGM.

[tlarkin]

Sounds like the account cannot access it’s home directory so authentication is suspended. Check your file shares, make sure all POSIX and ACLs are in place. Also make sure time/date is all in sync with server client for Kerberos.

-Tom

[tlarkin]

[QUOTE][u]Quote by: catfeetstop[/u][p]I’m new to enterprise Mac administration and I’m trying to figure out the best way to handle admin rights on our client Macs. I’ve looked around already and I know a lot of these questions have been answered elsewhere but I’m still having a hard time understanding the topic. If you have references to those other answers I’d love to see them. I still have some questions that I was looking for your input on and would love to hear your experiences. We’d like to create the best user experience possible and we don’t think our users will be happy if every time they want to install/update software or use the Mac AppStore they have to wait for a Sysadmin’s interaction.

Currently in our setup, our users login to their Macs as “standard” users using their AD credentials. We have our AD schema extended to allow MCX management through Workgroup Manager. Our Sysadmins administer the client computers because of the “Allow administration by…” option of the AD plugin. We have a growing number of Macs in our business and my questions are:

1. How do you guys handle admin accounts for client computers?[/quote]

I work in academia, so we have departments. Students are never given admin rights at all. Optional software is done via Self Service installs the students can trigger themselves (part of Casper Suite). Other departments and staff are granted admin rights, but we just roll out a local admin account for them to use. They still log into their own network account which is managed (very lightly) and when they need to use admin credentials to install their own software or whatever, they just use the local admin account they are given. Which is a separate account from all other local accounts so I can zap it or mass password change it if it gets leaked or abused.

[quote]2. Do you allow all users to be admins on the computer so they can install/update software?[/quote]

No, this is done via self service and Casper under the hood. I have 6 SUS servers set up, one parent and six children, and the parent cascades down to the children. The client just opens up self service and clicks install and the Casper framework does all the installs in the background. There are other tools, like Munki, Radmind and Puppet which can accomplish this as well, but it may be different in application.

[quote]3. If they’re “standard” users, do you just push the software/updates to them individually through Apple Remote Desktop (or something similar) when requested?[/quote]

There are many ways to do this. You can do it via ARD task server, or scripts, third party – Munki, Absolute, Casper, Puppet, Radmind, etc. Some are free, some cost money.

[quote]4. Do you physically go to their computer and type in your Sysadmin credentials to install/update software when requested?[/quote]

I got about 8,000 Macs in my work place, so no way! We use tools to deploy updates remotely, previously mentioned in my other answers.

[quote]5. Do you allow admin access and use some sort of application whitelisting/blacklisting system allow/disallow certain apps?[/quote]

I use MCX to block applications running by file path. The con is that you gotta approve every path that may have an app in it, including things like /Library/Application Support and so forth. Then any app I don’t want that group to use I toss in /Applications/Utilities. The pro is you don’t have to maintain a list, different groups can get different MCX settings, and it doesn’t allow users to run apps of their USB flash drive or what not.

[quote]6. Do you use the ~/Applications folder?[/quote]

Nope, but I think the app store will install personal apps there

[quote]7. Should each client computer have a local admin account in which we give each user the credentials to so they can install/update software? If so, can we disable login for this admin account?[/quote]

Depends on what you users needs are. Do they need to run admin? It is a security risk when users have admin rights. Yes, you can delete and disable and change passwords of accounts remotely, via ARD admin if you had to.

[quote]8. Is there a way to have a limited admin user that can only administer certain features? (i.e. install/update software only)[/quote]

Yes, this is possible via MCX. John DeTroy from Apple wrote a white paper on MCX that I think touched on this. The problem is, if they are admin and you give them access to the terminal they can easily undo lots of stuff. I think it is way more work than it is worth, so I wouldn’t recommend it.

[quote]9. Does Munki help with this dilemma and if so, how? (I’m not totally sure how Munki works or what it’s for)[/quote]

Munki is a tool to deploy software. It can help with lots of things you want to accomplish.

[quote]10. Do you know if any of this will change when Lion comes along? If so, in what way are things changing?[/quote]

NDA states that this cannot be discussed. However, there are a few users over a reddit that have purposely broken NDA and described 10.7. You can search that site to see what they are saying about it. I don’t advise breaking NDA but if you really want to know there are people that are willingly and blatantly breaking it.

[tlarkin]

I assume you are migrating to an Intel based Xserve….

Two things to do when migrating. If you are straight up replacing the server make sure all IP/DNS settings are set to your new server when you replace it, so you can just straight swap it out.

Also, do a full back up of Open Directory. This will require you put a password on the back up. It will archive all users, groups, and passwords. Also, on top of that export all your users and groups and computer lists to plain text as well (with out passwords) just in case your back up doesn’t sit well with the new OD server. Then worst case scenario you have to set a one time master password for your users and have it set to be changed at next log in.

All in all, it should go over smoothly.

[tlarkin]

You ever think about using a login script to set the folder via symbolic link?

[code]
#!/bin/bash

# log in hooks will return current user as $1, this only works for login hooks

target=”/Users/Shared/”

/bin/mkdir $target$1

/bin/ln -s /Users/$1/Movies $target$1

exit 0
[/code]

Then in OD, open up WGM and click on the computer list you want this to run on and click on log the in preference. Then select to run your script at log in. This method only seems to allow you to do this via Computer groups. Alternatively, you can copy the script to the local machine and have the loginwidnow.plist run the script at log in. You could also use launchd and create a user agent that runs in every user’s ~/Library/LaunchAgents so every time they log in, it runs. You could probably put some testing and error checking and if everything checks good the script just exits, otherwise it applies the settings.

[tlarkin]

Why do you have a user in OD called root? OD accounts start at UID 1000 and the initial account you set up is the diradmin account, which should be the “root” account for your OD administration.

I would delete the user in OD called ‘root,’ as it is not needed.

[tlarkin]

OK sorry I thought you were talking about authentication over ARD to OD accounts….

You are referring to when you right click on a scanner in ARD and do so by Directory Server? This does work for me, but only on computers I did authenticated binds to when binding to server.

[tlarkin]

Have you tried setting it on a client and do a MCX read from the command line to see what it modifies?

[tlarkin]

we tried this long time ago and it did not work so I deployed local hidden admin accounts for ARD access.

[tlarkin]

First you need to create the plist file: com.apple.mcxMenuExtras

In that file you need to set what you want allowed on the menu bar. To change the keyboard layout you want the TextInput.menu enabled. So in WGM drag that mcxMenuExtras into the details menu for your group. then create a new string called TextInput.menu, set it to boolean and true, and it will always show up on each user now whenever they log in.

Then add in the /Library/Preferences/com.apple.HIToolbox.plist and add each item under AppleSelectedInputSources. Just mimic the settings for the US keyboard layout with each additional language.

Another way would to be get it exactly on a specific user account the way you want it, and use the dscl command to read the mcx settings and export that to a file, or use some scripting to add the setting in.

[tlarkin]

look at the dscl command, there should be a way to create attributes in there and some scripting could automate it

[tlarkin]

Install all printers exactly how you want to on one of your machines, then copy out the /etc/cups/ppd directory to all client machines and they will get copied all your printer settings

[tlarkin]

You can remove them and then re-add them, as to rename them, but I am not seeing a rename option in lpadmin or lpoptions commands

[Author]

Posts