I have more than 50 Macs on the network and I think it's time to put some controls in place so I'm scouting for ways to integrate the Mac OS X clients into Active Directory. The primary objective is to enforce GPOs from the AD to the Mac OS X clients. I'm thinking of the following solutions:
- Use Mac OS X Server's Directory Service with AD
- Use a third-party solution like Centrify's DirectControl or Thursby's ADmitMac
Which of the solutions do you think is the best way to go?
Best Answer
It depends on whether or not you want to install 3rd party software on your AD controllers. If you go with Thursby or Centrify, you will have to do that to get GPO. This adds the necessary attributes to your AD schema to make it more OS X aware. I'm not sure if it'd include everything you'd want, so you'd have to ask the vendor.
If you don't (a lot of people don't), you'll need an OS X Server and set up a golden triangle configuration. You'd make the OS X server an OD Master (standalone), join it to AD, then use MCX to apply "GPO" to the computer object in AD. Then you'd join the computer itself to AD & OD. What it doesn't get from AD, it'd get from OD (if you configured it correctly). Things like password policy work with AD by default, with some minor caveats (reminders of expiration). Things like accessing System Preferences would be managed in OD. If you go the golden triangle route, you should consider getting two servers for master & replica. This doesn't require modifying or installing anything in AD that's not already there.
The only downside to the golden triangle setup is Lion is around the corner, and I'm really not sure if it'll continue to support this type of thing. I'm not sure how much longer you'll be able to buy Snow Leopard Server. Also, you can no longer get Apple's Xserve brand new... you're stuck with a Mac Pro or Mac Mini.