OS X Server :: Creating Active Directory Users From Workgroup Manager
May 3, 2005
I'm trying to setup our xserve so our clients will authenticate against AD but have their prefs managed by OSX Server. So far I've got the clients logging on ok,group folders mount nicely and I can see AD users and groups from workgroup manager. But when I try to add a home directory for an AD user I get - 'Got unexpected error Error of type -14140 on line 1127 of PMMUGMainView.mm'. I get the same if I try to create a new active directory user so it looks like workgroup manager is having problems writing to the active directory.
Today when we started trying to add users to our server (we use it only for afp access at this time), we noticed that new users belonging to a group "storage" were unable to login from client machines via afp (clients both 10.7.2 and 10.6.8).
When we tried editing the users accounts to change which groups they belonged to, it would appear in workgroup (and server preferences) that the changes would take but there was still no access.
As a test case, we modified an existing user who had no issues logging in to belong to a diffenent group and have different sharepoint access. The changes looked good in workgroup and server prefs, but when the user logged in, he was only able to acces his old sharepoint and not the new one (and since his permissions to the old were removed, he shouldn't have access to that sharepoint).
Also, for some reason users cannot be deleted within workgroup manager any more. The login used was the diradmin account.
I have an OSX Lion 10.7.4 Server set up with Profile Manager and it is joined to AD.
I am able to see AD groups in the Profile Manager groups section. I can also see and add AD users and groups using the server app.
I have enabled the "Can Enable Remote Management" check box for Domain Users through Profile Manager. I have also added Domain Admins to the Workgroup group in the Server app. I'm not sure that I want or need either of these options, but they were suggestions to try. I am not able to log on to the Profile Manager or My Devices pages with AD logins.
I found these directions about nested groups in Workgroup Manager [URL] but I don't have a [URL] local group or any groups like are shown in the picture.
Adding 10 IMACS with OS 10.7 to my active directory domain. I would like for all users to have the same basic user settings at log in. how I can configure the MAC clients.
We are a school and recently just added a few students so they can log in with their own user name. When the new students try to log in they get this message "You are unable to log in to the user account "user name". Logging in failed because an error occurred. The home folder for the user account is located on a AFP or a SMB server."I logged on Workgroup Manager and it shows every student and teacher has their home folder on the AFP server. And they all look set up the same. I do not know what the problem is or how to fix it!
I am setting up OS X Server (Advanced configuration) on a Mac mini. At some time I added a group and then deleted it. I now wish to add this group again and the Workgroup Manager GUI claims that the Name and Group ID already exists although I seem to be able to re-use the Short Name. Also if I try to add group permissions to a shared folder using Server Admin this Group Name/Group ID appear in the list of groups. How can I tidy this up? Another �variation� of this occurs when I create a shared folder. This also appears as a group when adding group permissions, but not in Workgroup Manager. Why should this be?
I'm just setting up a new Mac Mini (5,3) Server but I can't find 'Workgroup Manager' installed, only the 'Server' app. Is this the difference between the Mac Mini and a 'real' server?
The server app seems to do most things but I want to create all the user accounts with a pre set password but force each user to create their own password on first login, I can't seem to find this option in the 'Server' app. I can do this in Workgroup Manager on my old 10.4 server that's being replaced.
I am running an open directory/active directory network. Authentication is from the Windows server 2003 active directory. It has worked fine until the last month. Now clients stop authenticating & when I check the AD plugin it says network accounts are not available. I can force the server to unbind, then renew the binding & everything works great.Is there any work around or fix for this other than upgrading the windows server to 2008?
I have a few labs that will be running Tiger. I have an XSERVE that is running Tiger Server. All of my users are stored on a Windows 2003 server in AD.
I know how to bind an OSX machine to AD. What is the best way to set up my mac labs/Xserve so that when the users log in they get their home folder on the Windows server but have their preferences managed by Workgroup manager?
I am running a 10.7.3 Lion Server bound to Active Directory. There are only several local admin users on the machine; everyone else authenticates against AD. AFP connections work fine, using both local and AD accounts. SMB connections work fine if you use a local account but any AD account is rejected as having the wrong password when connecting via SMB. I've tried using the adusername trick (our AD server is named "ad") even though you're not supposed to need that with 10.7.2 and above... it doesn't help.
I have tried both a Windows 7 client and a 10.6 client, specifying SMB as the protocol in the Connect To Server dialog. Both fail, and they also take several minutes before reporting the bad password (the slowness in responding is yet another problem I've read as being an issue). Checking the kdc.log file on the server I see:
2012-02-09T09:54:22 digest-request netr: failed user=AD\dlennie DC status code c000006d 2012-02-09T09:54:22 digest-request: netr failed with -1073741715 proto=ntlmv2 2012-02-09T09:54:22 digest-request: od failed with 2 proto=ntlmv2
[code]....
I am using the full DNS name for the server, and on my test clients there are no firewalls or other network issues that would prevent connection to the server. We're mostly Macs here but the Windows users become a rather vocal group when something doesn't go their way. The confusing part to me is that AFP authenticates just fine and SMB doesn't.
i want to learn one think about Mac OS X Server 10.6.i have got 300 clients Windows and i want to setup Mac OS X Server work like a Active Directory same as Windows... (User's Account,Profile ....etc) is it possible with Mac OS X Server or not ?
I am managing a bunch of Macs and we are using Active Directory groups to assign certificates for 802.11x. I am binding the device to AD using JAMF software and was wondering if I could use a script to then add the deive to an active directory group.
I have been reading through the Lion Server pages for Active Directory and came across the following question. Does the procedure listed in the URL below allow the users whose Macs are joined to the OS X server, to login with Active Directory credentials. Pass-through auth. for lack of a better term. [URL]...The procedure reads as if it is just joining the server to the domain and not configuring authentication.
Im having all kinds of 'not found' issues with lion server but i think alot of them may stem from not being able to stop kerberos from running on Open Directory.Therefore currently im running two Kerberos realms OD and Active directory.. When I try and stop it in terminal it errors see below...
shutting down kadmind kadmind shut down shutting down kdc
[code]....
then on server admin it shows kereberos for OD as "running".. still so i know it hasn't worked?
We have a local Admin account on all Macs, enterprise wide, for local and remote administration.
All Macs are joined to Active Directory. Our users DO NOT have Admin rights.
On ALL our LION Macs (10.7.4), when joined to Active Directory, we lose functionality to the local Admin account.
We can log into the local Admin account, but the desktop is useless. Nothing opens. We cannot create any files/folders without getting an Access Denied error.
AND then best part... everything on the Desktop, files/folders, are gone! Almost like a bran spankin' new account. With no access to anything locally.
I have a problem with Network Users defined on my Lion Server accessing the server through VPN or Profile Manager (via Safari) ... I keep on getting authentication errors. Is this because they are network users or am I missing something else?
This works: when I logon to my Lion Server with either local or network users everything seems to be OK including home directory synchronisation.
I tried the following for VPN:my local server account can logon to the server (ie my secret key, user account/password combination are OK ("chap peer authentication succeeded for ...")when I try the same with two of my network accounts I keep on getting authentication errors (VPN) but I'm sure I use the same userid/password combinations as above ("chap peer authentication failed for ...")
I get similar results when I access the Profile Manager (url..)my local server account can logon on to the Profile Manager and sees as all the informationwhen I try this with one of my network accounts (which has devices assigned) I keep on getting 'incorrect user name or password
I have a couple of new users I've added to our directory recently. They are unable to connect to our internal jabber (iChat) server. Users that have connected previously are experiencing no difficulty. A quick overview of the layout of the system: two XServes, one is OD primary (aspen) the other is OD replica and iChat server (vail). I've modded some config files (long ago) to allow user IDs for jabber to be user@ourcompany.office instead of user@vail.ourcompany.office. It works quite nicely.
Excerpt from the logs shows a failed login attempt followed by a successful login attempt. Successful logins are happening from Messages (beta), iChat under Snow Leopard, and Pidgin under windows. Failing logins are all from iChat under Snow Leopard. Please ask questions, I'm happy to add any other pertinent data! May 3 16:21:45 vail jabberd/c2s[99718]: [13] [::ffff:10.255.170.122, port=52584] connectMay 3 16:21:47 vail jabberd/c2s[99718]: [13] [::ffff:10.255.170.122, port=52584] disconnect jid=unbound,
Im running snow leopard (10.6) and running Workgroup Manager from the 10.6 admin pack. Im trying to set up mobile accounts but when i try to save the settings i get " Error while saving record, The directory system schema does not support storing Managed Desktop settings." The mac is binded to AD and im logging in as a AD user. Do i really need to extend the Schema on the network? or is there a work around?
Any app for MAC OS that will display my active windows? The app can run in the menubar or dock, or mount next to the doc. Basically, something like the taskbar from Windows XP and Vista. Not Windows 7 as that shows the active programs, but not specific windows. I'm basically looking for an Expose alternative. So if I have 10 different windows running for Firefox, I can quickly look at my menubar or somewhere near the dock, and just click the window I want to see. Yes, I know that is what Expose is for, but I prefer to see me active windows without using a shortcut.
So far here's what I've tried: -Going to System Preferences, and unchecking "Minimize windows into application icon" in the Dock settings. This offered a partial solution as the icons could not be distinguished for the same program. 10 firefox windows minimized would just show 10 firefox icons. -Googling the following terms: app switcher for mac mac expose apps show running apps in menubar show expose items in menubar pin active applications to menubar in mac always show expose for mac application management for mac
I've also tried running these apps: alunch: [URL] WindowFinder 1.4: [URL] Running Applications for Mac: [URL] XMenu: [URL] Himmelbar: [URL]
All of these apps more or less place one icon in the menubar, which when clicked on shows your running apps, favorite apps, and system folders. This is fine, and is very similar to the windows start button. However, they all fall short because they only place one icon in the menubar, which must be clicked on to show active apps or active windows. Can someone please point me to an app that will always be on my screen, and will show icons or labels of active windows.
Again, similar to Windows taskbar before Windows 7. I know this is a difference in Mac and Windows, and that I can use the dock to see my active applications, and use the various shortcuts to see my windows, but there's got to be an app that will just always shows my active windows. So if I have Apple Mail Open, and have 3 compose new mail windows going, I would like to see 4 icons or labels somewhere in the menubar or near the dock. I'm on a Macbook Pro - OS 10.6.4
Hey everyone, i'm starting to learn active directory in windows server 2003 but what i want to do with parallels if possible is setup a XP VM so i can see the effect of the changes/rules i setup in active directory.
Is this possible within Parallels or is it a pipe dream as it would be a fantastic learning tool.
The hardware it would be running on is a 24inch 1st gen iMac with 2GB of Ram.
What do you guys think and if it can be done what do i need to make sure of when it comes to setting up parallels?
I work for a college as an IT Support Specialist and currently the only thing I have yet to find that I can use in mac OSX is Microsoft Active Directory. I use this to search for computer names as well as to remove and add computers to our college directory. Do you know of any way to use this in Mac OSX. As of right now I am running parallels on my machine but Active Directory is the ONLY thing that I use in Parallels and would like to find a way to use it in Mac OSX (Leopard). If you need anymore info just let me know.
I am the Mac administrator for my company and I am looking at bringing the Macs into the Active Directory realm. Since we have crept to over 100 Macs (most laptops) it has gotten a little more difficult to manage. I have researched two products, but haven't done any testing yet. The products that I have researched are Centrify Direct Control and Thursby ADmitMac. Direct control seems to be a bit more useful with machine policies. While AdmitMac seems a little light in it's scope.
Has anyone worked with either of these? How did it work out? Is there any other products that I should consider?
We have approx 20 systems, laptops and desktops - running 10.4.11 and 10.5.8 - that are syncing a local home directory with the user's specified home folder in their AD profile. As a standard, we are syncing their desktop and documents folders. This all seems to be working well, except for the fact that everything in the documents folder syncs, except for their Microsoft User Data info. We have gone so far as to blow out everything in the back up folder and start fresh, but still no Microsoft User Data folder. We have our users on Office 08.
I'm trying to bind my MacBook Pro to an active directory. I have the DNS records setup to point to the right DNS server (which is the active directory server) and then when I go into Directory Utility and type the name of the active directory it gives the following error:
Quote:
Unable to add the domain.
There was no response from KH. please check that the address you entered is correct.
I also tried KH.local which is the actual domain name but got the same problem. I tried going into terminal and pinged kh.local and it came back with a response.
I am unable to Bind any of my Mac Clients to Active Directory after upgrading to Mac OS 10.5.5 and 10.5.6.
I am now running 10.5.6 but the problem started when I upgraded to 10.5.5, 10.5.6 did not resolve the problem. The Directory Service Plug-in will not authenticate my username and password.
When I try to bind my mac to an active directory domain I get the error message (“An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest”). I have tried so many things,nothing works?
I have several 1-2yr old MacBook Pro running Snow Leopard and up-to-date patches etc. They are on the same network as a Windows Active Directory Domain, managed by Small Business Server 2003. There are approx 50 PC clients and these two macs.
The macs are not 'joined' to the domain and simply exist as nodes on the subnet. They get their IP from the domain controller and their DNS points to the DNS server/Domain Controller. The users have AD credentials that they use to connect to and use domain shared drives and resources. There is no problem getting list of computers however...
I am experiencing LONG delays (10-30 seconds) when trying to browse active directory shared resources.
If the user clicks on a domain PC that has shared resources, the list of resources take forever to appear. Once it does appear, access to the resources is fast. If another program is opened and the user browses the network for resources, despite the fact that they already have a connection to the domain resource, there is another LONG delay before the resources are displayed again.
The problem is not wrong credentials as they are not being challenged to re-authenticate... it just seems to hang until something times out and then it tries whatever method ultimately gets the mac to talk to the NTFS domain shares.
Every time the computer is restarted, the machine permanently loses its connection to the domain. After the initial binding, the Directory Utility light was green and it told me the computer had connected to the server as expected. However, after restarting, the light turns red and Directory Utility tells me that the server is not responding and no domain users can login. Nothing fixes it except for a rather disruptive and time-consuming unbinding and rebinding to the domain.
Obviously "don't restart the computer" will only work for so long, and already the user has restarted their computer once "out of habit" (which hopefully we will be able to break, lol), but still, I'm looking for a good way to fix this problem permanently.
