14994 Views Previous 1 2 Next 25 Replies Latest reply: Dec 30, 2010 8:26 PM by djimenez Go to original post
I don't think it's possible to create users or groups in AD via Workgroup manager. The basic problem is that AD users and groups are Windows users and groups first, and have various Windows-required attributes that WGM doesn't know anything about. Extending the schema allows the users and groups to optionally also have Mac management attributes, but doesn't remove their native Windows requirements. So, you need to create users and groups with Windows Server tools, then use WGM to add Mac-compatible managed attributes to them.
that's also what I first thought - but when I watched the presentation from Timothy Perfitt at http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301 I noticed his + (add users/groups) got active after providing the admin credentials (see presentation movie @16:50 timecode).
Would be very nice if it is possible - otherwise we probably have to live with that
Hi, I was wondering if there is somewhere I can find the apple schema other than on a 10.6 server? I currently don't have access to a 10.6 server. I would like to extend my schema and manage my small group of macs (5) with the rest of my active directory structure (400+ PCs). Also currently my Domain Controllers are Windows Server 2003 R1, if i bring a Windows Server 2008 R2 domain controller online will that resolve the needed Domain controller level?
@cabrower: I don't know anyplace other than an OS X Server to get the Apple schema in a form that AD Schema Analyzer can work with them, but 10.5 should be sufficient if you can find someone with a leftover license (there's not much difference between 10.5 and 10.6)...
As for the Windows Server version, as I understand it the important thing is the AD schema changes Microsoft made between 2003 R1 and R2. I'm not sure, but I suspect you'd need to update all of your domain controllers to R2 and then raise the domain functional level -- definitely the sort of thing you'd want to confirm in a test environment before inflicting it on your production servers.
Hi Gordon thanks for the response. I was able to do enough searching of the internet and someone was kind enough/smart enough to post the already modified version of the schema. I am not sure why apple wouldn't do the same. Here is what i found. It is ready for a copy and paste:
Message was edited by: cabrower
The LDIF in that serverfault entry has some kinda strange things in it. It has the apple-user-homeurl attribute listed, which (according to Apple's PDF) it shouldn't have. It also has the ipHostNumber and macAddress attributes, which should already be there (they were added in the R2 update to Windows Server 2003). And it has several possSuperiors's listed by OID rather than name (which I think I've seen cause problems). And it has apple-configuration set up as an auxiliaryClass of the AD Configuration class, which does not match the Apple PDF (and if I understand it, conflicts with the way apple-configuration is used).
So I wouldn't especially trust that serverfault entry...
Attribute apple-user-homeurl is bothering me. I can not make clear if this if why I'm not able to mount an AFP home folder.
The White Paper [Modifying the Active Directory Schema to Support Mac Systems|http://images.apple.com/business/solutions/it/docs/Modifyingthe_Active_DirectorySchema.pdf] does not mention this attribute. Knowledge base article [TA21377|http://support.apple.com/kb/TA21377] does mention apple-user-homeurl although this article could be outdated.
The attribute should contain the URL to the user's home folder. It seems that it's not required when only NFSHomeDirectory is set and you make use of NFS.
Is it possible to create computer groups within WGM? I'm able to apply managed preferences to individual users and computers but cannot create computer groups within WGM. Reading through the logs I've found this:
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Using existing connection for flaglerschools.com - flagler.flaglerschools.com. user bingc@FLAGLERSCHOOLS.COM cache MEMORY:YVKESUz
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Attempting to Create Record Type dsRecTypeStandard:ComputerLists Name Untitled_1
2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=flaglerschools,DC=com with FAILED - LDAP Error 19
2008 R2 with 10.6.4