Mac OS X users in an Active Directory based network

active-directorymac-osxmac-osx-server

In your corporate network, how do you handle Mac OS X users on your Active Directory based network? What are some specific things you do to cater to the Mac OS users?

We are specifically having issues with the following:

  • Password expirations (specifically that there is no notification given to the user while they are logged in).

  • Finder not consistent about using kerberos. Browse to a windows server in "All…" and open a SMB share, you'll have to authenticate. However when you use Finder's "Go to Folder…" action or access via smbclient -k the system will properly use kerberos. Is this a bug? Is there any work around? Do you just mount the needed drives at logon? If so, how do you manage these login scripts?

  • VMs. Nearly everyone uses either Parallels Desktop or VMWare Fusion. Do you join these VMs to the domain as well? Do you do anything else special with VMs?

  • File share compatibility. If we let the Mac users use an SMB share on a Windows server, the Macs have to leave .DS_Store everywhere for compatibility. Letting the Windows users use SMB on a Mac server is my best option, as the Mac users can use AFP (enabling the use of resource forks, instead of leaving .DS_Store everywhere). Additionally this will allow Mac OS users to use spotlight on the server mounts.

  • The directory application shows a number of system accounts, cluttering it up. Do your users even bother using this application? If so have you found a way to hide them?

Best Answer

I have a few Xserves running as file servers in an Active Directory environment. The golden triangle approach has worked great for me: http://www.bombich.com/mactips/activedir.html. I set mine up following those directions exactly, and here's my experiences:

  1. I do get a password expiration notification when I log in as an AD user. I would say pay special attention to the kerberos part of the Golden Triangle approach. The key most people miss is sudo dsconfigad -enableSSO.
  2. I think the kerberos part above would also fix this. Works both ways for me.
  3. What I've done a few times is use Boot Camp to create a physical Windows environment, join that to AD, then let them run it via VMware Fusion from OS X if they wish.
  4. I have a Windows server, and feel your .DS_Store pain. However, this command helps: defaults write com.apple.desktopservices DSDontWriteNetworkStores true
  5. At the top window of Directory.app, you can select "People" to filter out the junk.

Active Directory provides the username and password, as well as some group memberships and user policies. AD only targets Windows users. I don't have admin rights on Active Directory. I have to get permission to join my Xserves to the domain. I have no ability to modify the AD schema at all. If I wanted to extend certain OS X specific policies to my Mac users, I can do so via my Open Directory master. The Bombich document explains how.

Hope that helps some!

Related Topic