LeicHIS

Q: Lion Server, Profile Manager and Active Directory Users/Groups

I have managed to get Profile Manager working and have enrolled a number of iOS devices using AD user accounts. The devices appear with the correct name of the user that enrolled them.

 

On Friday the user's tab of the profile Manager webpage suddenly displayed the list of AD users that had enrolled the devices. I got very excited and then the users disappeared when I refreshed the webpage. Now they are gone forever . . . . .

 

The Groups pane only lists members for the OD Groups. All of the AD Groups appear as No Members.

 

 

The Lion Server is successfully bound to the AD Domain and I have extended the Forest with the Apple Schema change.

 

I can interact with AD Users using Workgroup Manager and the Directory Utility, however all of the AD Groups have no members.

 

I really need to be able to apply profiles to AD User Groups, but until the Lion Server sees the members it's never going to work . . . .

 

Any ideas ?

 

Phil

Mac mini, Mac OS X (10.7.3)

Posted on Apr 23, 2012 7:29 AM

Close

Q: Lion Server, Profile Manager and Active Directory Users/Groups

  • All replies
  • Helpful answers

  • by LeicHIS,

    LeicHIS LeicHIS Apr 23, 2012 7:32 AM in response to LeicHIS
    Level 1 (0 points)
    Apr 23, 2012 7:32 AM in response to LeicHIS

    The Lion Server must be reading group membership as AD Users are being given permissions appropriate to their group memberships, e.g. access to /mydevices or /profilemanager.

     

    Help ?????????????

  • by LeicHIS,

    LeicHIS LeicHIS Apr 24, 2012 12:53 AM in response to LeicHIS
    Level 1 (0 points)
    Apr 24, 2012 12:53 AM in response to LeicHIS

    Bit of an update . . . .

     

    I have noticed that users appear in the Users list within Profile Manager after they enrol a device. I can then apply a profile to the user account and the settings appear on the device. All good . . .

     

    However, if I log out of Profile Manager and log back in again, the new users have disappeared. The profile assigned to the user remains on the device and the task to push the User profile is still in the Completed Tasks list.

     

    I still have no members of AD groups within Workgroup Manager.

     

    Phil

  • by LeicHIS,

    LeicHIS LeicHIS Apr 24, 2012 1:48 AM in response to LeicHIS
    Level 1 (0 points)
    Apr 24, 2012 1:48 AM in response to LeicHIS

    The users also disappear when you refresh the web page . . .

  • by LeicHIS,

    LeicHIS LeicHIS Apr 25, 2012 1:02 AM in response to LeicHIS
    Level 1 (0 points)
    Apr 25, 2012 1:02 AM in response to LeicHIS

    After some testing it appears that you can assign a Profile to one of the AD Groups within Profile Manager and the settings do apply to the device when the appropriate user enrolls the device. The webpage still says No Members . . . .

     

    I am still having the disappearing users issue though

  • by IamOnline,

    IamOnline IamOnline May 25, 2012 9:59 AM in response to LeicHIS
    Level 1 (0 points)
    May 25, 2012 9:59 AM in response to LeicHIS

    I have run into these same issues. I have a friend who has a Profile Manager server working much differently.

     

    For his server when he goes to Users or Groups it doesn't show a list it just shows "Search for Users" or "Search for Groups" and allows him for both users and groups to search Active Directory even if the users have never enrolled a device with the server.

     

    I haven't been able to figure out how his server is working that way and he hasn't been able to remember it at the moment. He thinks a lot of it is due to the size and number of groups in their AD structure, but I'm not sure.

     

    A lot of the other things with this server also seem to relate to the order in which you did various steps during setup. I'm not sure I've ever worked with a Server OS that is as quirky as Lion Server has been while trying to set up Profile Manager...

  • by Pedro Santos Logica,

    Pedro Santos Logica Pedro Santos Logica May 30, 2012 2:48 AM in response to LeicHIS
    Level 1 (0 points)
    May 30, 2012 2:48 AM in response to LeicHIS

    Same problem here

  • by Salvador G,

    Salvador G Salvador G May 31, 2012 12:52 PM in response to LeicHIS
    Level 1 (0 points)
    May 31, 2012 12:52 PM in response to LeicHIS

    I'm experiencing the same problem. Anyone able to resolve this? Any clue if this bug is still in 10.7.4?

  • by IamOnline,

    IamOnline IamOnline Jun 1, 2012 11:04 AM in response to Salvador G
    Level 1 (0 points)
    Jun 1, 2012 11:04 AM in response to Salvador G

    The same bug is still in 10.7.4

     

    It is unfortunate that Profile Manager/OS X can't see the members of an AD group. Configuring a management profile on an AD group works great for the initial enrollment, but in my testing, making a change to the settings for an AD group doesn't cause those settings to be pushed out to the members of that group. I believe this is because the group is seen as having no members, so it only works during the enrollment. This pretty much makes settings configured on Domain groups useless unless you never plan to change them...

     

    Due to these domain groups issues and due to the disappearing users I have given up on a lot of how I was hoping to manage the server. I now manage settings through groups created in the server app on OS X, and to circumvent the disappearing users issue I have to manually import users from AD into the users section of the Server App.

     

    This seems to work well enough and is the best way I have figured out.

     

    Ian

  • by timothy sutton,

    timothy sutton timothy sutton Jun 28, 2012 7:19 AM in response to LeicHIS
    Level 1 (0 points)
    Jun 28, 2012 7:19 AM in response to LeicHIS

    Has anyone experiencing this issue filed a Radar?

     

    This is how issues get fixed. The more bugs filed, the more weight the issue is given in Apple concentrating their engineering efforts.

  • by ecase,

    ecase ecase Aug 5, 2012 9:35 AM in response to timothy sutton
    Level 1 (0 points)
    Aug 5, 2012 9:35 AM in response to timothy sutton

    Apple is aware of this defect – I spoke with a member of the server support team last week. She suggested that it would be fixed in the next point release of 10.7 & 10.8.

     

    ~Evan

  • by FSU IT Help Desk,

    FSU IT Help Desk FSU IT Help Desk Aug 8, 2012 1:40 PM in response to LeicHIS
    Level 1 (0 points)
    Aug 8, 2012 1:40 PM in response to LeicHIS

    Having the same issue. Using a 10.8 server.

     

    Just got profilemanager to join devices. However I dont see any users in Profilemanager besides the local admin and the OD Admin.

    In the server app I can see the AD users. They are listed differently than in 10.7.3-4 server app and there doesnt appear to be an option to import users.

     

    It would be ideal to be able to add AD  users to the profile manager so they can enroll their devces. Or records can be keep base on whos devices it is.

  • by Jay Silvas,

    Jay Silvas Jay Silvas Sep 11, 2012 11:53 PM in response to LeicHIS
    Level 1 (10 points)
    Sep 11, 2012 11:53 PM in response to LeicHIS

    Apple's AD integration has been terrible, especially with the release of Lion. I submitted a bug that affects network map parent folders well over a year ago and they have not fixed it four releases later. The best solution that I have found for me is this.

     

    1. Unbind your server from AD

    2. Download Centrify Express

    3. Use Centrify ADJoin to bind your server back to your AD

    4. Open Server.app and click Manage>Connect to to a directory server (or something similar)

    5. Import your user groups like you would normally.

     

    This time your server should behave correctly. I gave up on Apple's AD integration a long time ago. Centrify has more vested interest in maintaining their product.

  • by GSEVille,

    GSEVille GSEVille Dec 19, 2013 5:42 PM in response to Jay Silvas
    Level 1 (0 points)
    Dec 19, 2013 5:42 PM in response to Jay Silvas

    Now with Server.app 3.x, Profile Manager supports Active Directory groups.

     

    Although, has anyone been having a problem that user profiles won't push to Active Directory users?

  • by computeronix,

    computeronix computeronix Jul 26, 2014 2:23 PM in response to GSEVille
    Level 1 (0 points)
    Jul 26, 2014 2:23 PM in response to GSEVille

    Yes, I am on 3.1.2 Server and Mavericks 10.9.4 and it shows no users within an AD group.  Also the profile does not push to users but devices it works fine.

     

    Any ideas?