Mac OS X Lion Server :: Active Directory And Local Admin Account?
Jun 27, 2012
We have a local Admin account on all Macs, enterprise wide, for local and remote administration.
All Macs are joined to Active Directory. Our users DO NOT have Admin rights.
On ALL our LION Macs (10.7.4), when joined to Active Directory, we lose functionality to the local Admin account.
We can log into the local Admin account, but the desktop is useless. Nothing opens. We cannot create any files/folders without getting an Access Denied error.
AND then best part... everything on the Desktop, files/folders, are gone! Almost like a bran spankin' new account. With no access to anything locally.
I am running a 10.7.3 Lion Server bound to Active Directory. There are only several local admin users on the machine; everyone else authenticates against AD. AFP connections work fine, using both local and AD accounts. SMB connections work fine if you use a local account but any AD account is rejected as having the wrong password when connecting via SMB. I've tried using the adusername trick (our AD server is named "ad") even though you're not supposed to need that with 10.7.2 and above... it doesn't help.
I have tried both a Windows 7 client and a 10.6 client, specifying SMB as the protocol in the Connect To Server dialog. Both fail, and they also take several minutes before reporting the bad password (the slowness in responding is yet another problem I've read as being an issue). Checking the kdc.log file on the server I see:
2012-02-09T09:54:22 digest-request netr: failed user=AD\dlennie DC status code c000006d 2012-02-09T09:54:22 digest-request: netr failed with -1073741715 proto=ntlmv2 2012-02-09T09:54:22 digest-request: od failed with 2 proto=ntlmv2
[code]....
I am using the full DNS name for the server, and on my test clients there are no firewalls or other network issues that would prevent connection to the server. We're mostly Macs here but the Windows users become a rather vocal group when something doesn't go their way. The confusing part to me is that AFP authenticates just fine and SMB doesn't.
I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
I have been reading through the Lion Server pages for Active Directory and came across the following question. Does the procedure listed in the URL below allow the users whose Macs are joined to the OS X server, to login with Active Directory credentials. Pass-through auth. for lack of a better term. [URL]...The procedure reads as if it is just joining the server to the domain and not configuring authentication.
Im having all kinds of 'not found' issues with lion server but i think alot of them may stem from not being able to stop kerberos from running on Open Directory.Therefore currently im running two Kerberos realms OD and Active directory.. When I try and stop it in terminal it errors see below...
shutting down kadmind kadmind shut down shutting down kdc
[code]....
then on server admin it shows kereberos for OD as "running".. still so i know it hasn't worked?
I have an OSX Lion 10.7.4 Server set up with Profile Manager and it is joined to AD.
I am able to see AD groups in the Profile Manager groups section. I can also see and add AD users and groups using the server app.
I have enabled the "Can Enable Remote Management" check box for Domain Users through Profile Manager. I have also added Domain Admins to the Workgroup group in the Server app. I'm not sure that I want or need either of these options, but they were suggestions to try. I am not able to log on to the Profile Manager or My Devices pages with AD logins.
I found these directions about nested groups in Workgroup Manager [URL] but I don't have a [URL] local group or any groups like are shown in the picture.
Adding 10 IMACS with OS 10.7 to my active directory domain. I would like for all users to have the same basic user settings at log in. how I can configure the MAC clients.
I am running an open directory/active directory network. Authentication is from the Windows server 2003 active directory. It has worked fine until the last month. Now clients stop authenticating & when I check the AD plugin it says network accounts are not available. I can force the server to unbind, then renew the binding & everything works great.Is there any work around or fix for this other than upgrading the windows server to 2008?
I'm getting ready to migrate our company server to a new server box. I'm doing a complete clean install, and migrating specific information over (we had some corruptions from the initial installation Lion Server). All our users are in LDAP, not the Local directory, and I can't seem to figure out (and don't have the ability to test) if using the Ser Admin app's Archive feature of Open Directory, will include all LDAP information. My understanding is that if I create an archive and restore to it, then all of my users and there information will be put back like nothing happen, but can't get any clarification on it.
I have a few labs that will be running Tiger. I have an XSERVE that is running Tiger Server. All of my users are stored on a Windows 2003 server in AD.
I know how to bind an OSX machine to AD. What is the best way to set up my mac labs/Xserve so that when the users log in they get their home folder on the Windows server but have their preferences managed by Workgroup manager?
i want to learn one think about Mac OS X Server 10.6.i have got 300 clients Windows and i want to setup Mac OS X Server work like a Active Directory same as Windows... (User's Account,Profile ....etc) is it possible with Mac OS X Server or not ?
I'm trying to setup our xserve so our clients will authenticate against AD but have their prefs managed by OSX Server. So far I've got the clients logging on ok,group folders mount nicely and I can see AD users and groups from workgroup manager. But when I try to add a home directory for an AD user I get - 'Got unexpected error Error of type -14140 on line 1127 of PMMUGMainView.mm'. I get the same if I try to create a new active directory user so it looks like workgroup manager is having problems writing to the active directory.
We use on our Server the OD. About 25 User can ue with their Account every Computer in the Office. Now wo saw the size of the harddrive has very less free space. When we click Apple-I on the users we see it is very low space uses, but this is because all the private folders are blocked. Is their a way to calculate the Open Directory size of every User Account?
I use an external DNS that includes MX and mail entries and A records that point to a static IP provided by my ISP, stored in my router, that in turn accesses services on my lion server via port forwarding. The DNS service on my lion server was turned on but I turned it off and I'm not sure I've noticed any difference - I've got issues either way. Do I need it for any mail server related reason?
A freshly created account under 10.7.4. is a Admin account by default. The checkbox "Allow user to administer this computer" is grayed out. I end up with an Admin account and there is no way to convert this account into a Standard account. Facts: 10.7.4 - clean install on a current iMac i5 Freshly created account uses name of a deleted older account (my name)Repaired permissions several times (disk utility and "resetpassword utility" via terminal and safe boot)The older account had been relocated to a external disc for security reasons. There the access rights got corrupted so that I wanted to freshly create a new account and copy all files from a backup. how to create a new account for me?
With any Unix machine, one can run at the command line:- apachectl -S This will show all virtual servers configured in Apache, and will break if there are any obvious problems in the httpd .conf files. It's very handy for testing a new configuration before restarting the server. With Mac OS X Server though, this doesn't work properly. Sure, I can run that command and see a virtual server or two, but with the introduction of the server Apache wrappers, the command line tools read a very different configuration than the `serveradmin` tool does.
e.g. Wrappers like:-<IfDefine MACOSXSERVER> .... </IfDefine> or <IfDefine WEBSERVICE_ON>
[code]....
ps. Running `sudo serveradmin stop web && sudo serveradmin start web` really compared to `apachectl graceful`; it's painfully slow and doesn't provide a way to test a custom configuration before attempting to restart.
I am currently trying access profile manager on both my macbook air and iphone 4s on local wifi. However, it would just hang when i try to access it via "http://macmini.local/profilemanager". If i try go to go url...I can access url... fine and ping "macmini" fine.
Our new Lion Server has a static IP Address pointed to over the internet by our registrar's zone file. Planning the Lion Server installation process with the intent of hosting Web, Mail and Open Directory services to a small number of users who are nearly all located off-site. I do also want Lion Server to be a caching DNS Server and DHCP authority on the local network to replace what dnsmasq does on our current Linux server.
I am looking forward to offloading some of the lower level Linux administration tasks and putting myself in the hands of the Lion Server Setup Assistant and Server App :-) but at the same time don't understand some of its assumptions and fear having to spend a lot of time experimenting and re-installing.
So, specifically, I want the Server App to know that my Lion Server has a "Host Name for the Internet" but that the DNS it sets up will not be the DNS for my zone - I will be managing that through my registrar's interfaces.
Second problem is my fnot understanding what name space devices on the local network will / should use. e.g. The Linux server will be available for backups etc on the local intranet (and optionally have a static ip address on the Internet) but MacBooks, PCs, iPads and iPhones will be served ip addresses by the Lion Server's DHCP. So will / should these dynamic devices have their machine names fully qualified by our domain name with RFC 1918 style ip addresses or something like .local? How do I tell this to Lion's Server App / Setup Assistant? How easy is it to update these initial settings later?
Hey everyone, i'm starting to learn active directory in windows server 2003 but what i want to do with parallels if possible is setup a XP VM so i can see the effect of the changes/rules i setup in active directory.
Is this possible within Parallels or is it a pipe dream as it would be a fantastic learning tool.
The hardware it would be running on is a 24inch 1st gen iMac with 2GB of Ram.
What do you guys think and if it can be done what do i need to make sure of when it comes to setting up parallels?
I work for a college as an IT Support Specialist and currently the only thing I have yet to find that I can use in mac OSX is Microsoft Active Directory. I use this to search for computer names as well as to remove and add computers to our college directory. Do you know of any way to use this in Mac OSX. As of right now I am running parallels on my machine but Active Directory is the ONLY thing that I use in Parallels and would like to find a way to use it in Mac OSX (Leopard). If you need anymore info just let me know.
I am the Mac administrator for my company and I am looking at bringing the Macs into the Active Directory realm. Since we have crept to over 100 Macs (most laptops) it has gotten a little more difficult to manage. I have researched two products, but haven't done any testing yet. The products that I have researched are Centrify Direct Control and Thursby ADmitMac. Direct control seems to be a bit more useful with machine policies. While AdmitMac seems a little light in it's scope.
Has anyone worked with either of these? How did it work out? Is there any other products that I should consider?
We have approx 20 systems, laptops and desktops - running 10.4.11 and 10.5.8 - that are syncing a local home directory with the user's specified home folder in their AD profile. As a standard, we are syncing their desktop and documents folders. This all seems to be working well, except for the fact that everything in the documents folder syncs, except for their Microsoft User Data info. We have gone so far as to blow out everything in the back up folder and start fresh, but still no Microsoft User Data folder. We have our users on Office 08.
I'm trying to bind my MacBook Pro to an active directory. I have the DNS records setup to point to the right DNS server (which is the active directory server) and then when I go into Directory Utility and type the name of the active directory it gives the following error:
Quote:
Unable to add the domain.
There was no response from KH. please check that the address you entered is correct.
I also tried KH.local which is the actual domain name but got the same problem. I tried going into terminal and pinged kh.local and it came back with a response.
I am unable to Bind any of my Mac Clients to Active Directory after upgrading to Mac OS 10.5.5 and 10.5.6.
I am now running 10.5.6 but the problem started when I upgraded to 10.5.5, 10.5.6 did not resolve the problem. The Directory Service Plug-in will not authenticate my username and password.
When I try to bind my mac to an active directory domain I get the error message (“An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest”). I have tried so many things,nothing works?
