Apple Support Communities > Servers and Enterprise Software > Mac OS X Server v10.6 Snow Leopard > Discussions
This discussion is archived
14558 Views 25 Replies Latest reply: Dec 30, 2010 8:26 PM by djimenez
Currently Being ModeratedAug 24, 2010 9:12 AM (in response to dalimsoftware)I don't think it's possible to create users or groups in AD via Workgroup manager. The basic problem is that AD users and groups are Windows users and groups first, and have various Windows-required attributes that WGM doesn't know anything about. Extending the schema allows the users and groups to optionally also have Mac management attributes, but doesn't remove their native Windows requirements. So, you need to create users and groups with Windows Server tools, then use WGM to add Mac-compatible managed attributes to them.MacBook Pro, Mac OS X (10.6.4)
Currently Being ModeratedAug 24, 2010 9:40 AM (in response to Gordon Davisson)Hi Gordon,
that's also what I first thought - but when I watched the presentation from Timothy Perfitt at http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301 I noticed his + (add users/groups) got active after providing the admin credentials (see presentation movie @16:50 timecode).
Would be very nice if it is possible - otherwise we probably have to live with that
Currently Being ModeratedAug 27, 2010 3:20 PM (in response to dalimsoftware)Hi, I was wondering if there is somewhere I can find the apple schema other than on a 10.6 server? I currently don't have access to a 10.6 server. I would like to extend my schema and manage my small group of macs (5) with the rest of my active directory structure (400+ PCs). Also currently my Domain Controllers are Windows Server 2003 R1, if i bring a Windows Server 2008 R2 domain controller online will that resolve the needed Domain controller level?
Currently Being ModeratedAug 30, 2010 2:40 PM (in response to cabrower)@cabrower: I don't know anyplace other than an OS X Server to get the Apple schema in a form that AD Schema Analyzer can work with them, but 10.5 should be sufficient if you can find someone with a leftover license (there's not much difference between 10.5 and 10.6)...
As for the Windows Server version, as I understand it the important thing is the AD schema changes Microsoft made between 2003 R1 and R2. I'm not sure, but I suspect you'd need to update all of your domain controllers to R2 and then raise the domain functional level -- definitely the sort of thing you'd want to confirm in a test environment before inflicting it on your production servers.MacBook Pro, Mac OS X (10.6.4)
Currently Being ModeratedAug 30, 2010 3:51 PM (in response to Jason Millen)Hi Gordon thanks for the response. I was able to do enough searching of the internet and someone was kind enough/smart enough to post the already modified version of the schema. I am not sure why apple wouldn't do the same. Here is what i found. It is ready for a copy and paste:
Message was edited by: cabrower
Currently Being ModeratedSep 3, 2010 7:13 PM (in response to cabrower)The LDIF in that serverfault entry has some kinda strange things in it. It has the apple-user-homeurl attribute listed, which (according to Apple's PDF) it shouldn't have. It also has the ipHostNumber and macAddress attributes, which should already be there (they were added in the R2 update to Windows Server 2003). And it has several possSuperiors's listed by OID rather than name (which I think I've seen cause problems). And it has apple-configuration set up as an auxiliaryClass of the AD Configuration class, which does not match the Apple PDF (and if I understand it, conflicts with the way apple-configuration is used).
So I wouldn't especially trust that serverfault entry...MacBook Pro, Mac OS X (10.6.4)
Currently Being ModeratedOct 27, 2010 3:46 AM (in response to Gordon Davisson)Attribute apple-user-homeurl is bothering me. I can not make clear if this if why I'm not able to mount an AFP home folder.
The White Paper [Modifying the Active Directory Schema to Support Mac Systems|http://images.apple.com/business/solutions/it/docs/Modifyingthe_Active_DirectorySchema.pdf] does not mention this attribute. Knowledge base article [TA21377|http://support.apple.com/kb/TA21377] does mention apple-user-homeurl although this article could be outdated.
The attribute should contain the URL to the user's home folder. It seems that it's not required when only NFSHomeDirectory is set and you make use of NFS.
Currently Being ModeratedNov 1, 2010 7:57 AM (in response to Martin van Diemen)Is it possible to create computer groups within WGM? I'm able to apply managed preferences to individual users and computers but cannot create computer groups within WGM. Reading through the logs I've found this:
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Using existing connection for flaglerschools.com - flagler.flaglerschools.com. user bingc@FLAGLERSCHOOLS.COM cache MEMORY:YVKESUz
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Attempting to Create Record Type dsRecTypeStandard:ComputerLists Name Untitled_1
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=flaglerschools,DC=com with FAILED - LDAP Error 19
2008 R2 with 10.6.4Mac OS X (10.6.4)
Currently Being ModeratedNov 8, 2010 10:04 AM (in response to mike.pinto)Hi Mike, I have been trying to do the same thing. I can apply preferences to either a specific user/computer but not a user group or computer group which is rather ridiculous...Mac OS X (10.6.4), Windows 2008 R2/Active Directory
Currently Being ModeratedNov 8, 2010 10:07 AM (in response to Gordon Davisson)Gordon, what is the recommended way to obtain the schema if I don't have a OS X Server available? I already applied the schema I found at the servervault website :-/
Im hoping there isn't much damage done by that... I know you can't remove schema once it's in place...