I want to enforce MCX computer policies, but all my users are admins...
Hi Jim
I have an interesting situation that maybe you have dealt with in the past. Maybe I can pick your brain. I am very familiar with Mac OS X, but new to MCX and OD.
I am deploying ~200-400 Macs in Q1 08. All of them will be Intel iMacs running 10.5.x (Leopard). I am going to be running both AD (for authentication/authorization) and OD (for MCX). My OD servers will be running Leopard Server (Xserves)
I want to manage all of the Mac computers via MCX. One gotcha: My CIO has insisted that all the Mac users will be administrators. Rather than trying to manually set each user up as a local admin, I have created a AD group called "Mac Power Users" and each user that gets a Macintosh system will be in this group. My master Netinstall Mac image is set to acknowledge the AD "Mac Power Users" group as a valid admin group via the Directory Utility, and thus any Mac bound to AD will see the Mac AD effectively users as administrators. Dont ask why I have to do this - its a political issue and even our current 400 Windows XP desktops are setup like this too. Grrr.
Anyway - I want to manage basic settings via OD/MCX like automounts, Web proxies, loginwindow settings & maybe printers too. Mostly computer based policies, not much user or group level policies will be needed (I hope)
Question: If all my users are considered local admins based on the AD "Mac Power Users" group, will they override my OD/MCX policies? If so, is there any way to allow them to be admins but still enforce computer policies via MCX?
Its the chicken and the egg!
TIA
I have an interesting situation that maybe you have dealt with in the past. Maybe I can pick your brain. I am very familiar with Mac OS X, but new to MCX and OD.
I am deploying ~200-400 Macs in Q1 08. All of them will be Intel iMacs running 10.5.x (Leopard). I am going to be running both AD (for authentication/authorization) and OD (for MCX). My OD servers will be running Leopard Server (Xserves)
I want to manage all of the Mac computers via MCX. One gotcha: My CIO has insisted that all the Mac users will be administrators. Rather than trying to manually set each user up as a local admin, I have created a AD group called "Mac Power Users" and each user that gets a Macintosh system will be in this group. My master Netinstall Mac image is set to acknowledge the AD "Mac Power Users" group as a valid admin group via the Directory Utility, and thus any Mac bound to AD will see the Mac AD effectively users as administrators. Dont ask why I have to do this - its a political issue and even our current 400 Windows XP desktops are setup like this too. Grrr.
Anyway - I want to manage basic settings via OD/MCX like automounts, Web proxies, loginwindow settings & maybe printers too. Mostly computer based policies, not much user or group level policies will be needed (I hope)
Question: If all my users are considered local admins based on the AD "Mac Power Users" group, will they override my OD/MCX policies? If so, is there any way to allow them to be admins but still enforce computer policies via MCX?
Its the chicken and the egg!
TIA
Xserve, Mac OS X (10.5), OD & AD
