Previous 1 2 Next 25 Replies Latest reply: Dec 30, 2010 8:26 PM by djimenez Go to original post
  • Gordon Davisson Level 3 Level 3
    I don't think it's possible to create users or groups in AD via Workgroup manager. The basic problem is that AD users and groups are Windows users and groups first, and have various Windows-required attributes that WGM doesn't know anything about. Extending the schema allows the users and groups to optionally also have Mac management attributes, but doesn't remove their native Windows requirements. So, you need to create users and groups with Windows Server tools, then use WGM to add Mac-compatible managed attributes to them.
  • dalimsoftware Level 1 Level 1
    Hi Gordon,
    that's also what I first thought - but when I watched the presentation from Timothy Perfitt at I noticed his + (add users/groups) got active after providing the admin credentials (see presentation movie @16:50 timecode).

    Would be very nice if it is possible - otherwise we probably have to live with that
  • cabrower Level 1 Level 1
    Hi, I was wondering if there is somewhere I can find the apple schema other than on a 10.6 server? I currently don't have access to a 10.6 server. I would like to extend my schema and manage my small group of macs (5) with the rest of my active directory structure (400+ PCs). Also currently my Domain Controllers are Windows Server 2003 R1, if i bring a Windows Server 2008 R2 domain controller online will that resolve the needed Domain controller level?

  • Gordon Davisson Level 3 Level 3
    @cabrower: I don't know anyplace other than an OS X Server to get the Apple schema in a form that AD Schema Analyzer can work with them, but 10.5 should be sufficient if you can find someone with a leftover license (there's not much difference between 10.5 and 10.6)...

    As for the Windows Server version, as I understand it the important thing is the AD schema changes Microsoft made between 2003 R1 and R2. I'm not sure, but I suspect you'd need to update all of your domain controllers to R2 and then raise the domain functional level -- definitely the sort of thing you'd want to confirm in a test environment before inflicting it on your production servers.
  • cabrower Level 1 Level 1
    Hi Gordon thanks for the response. I was able to do enough searching of the internet and someone was kind enough/smart enough to post the already modified version of the schema. I am not sure why apple wouldn't do the same. Here is what i found. It is ready for a copy and paste: nager

    Message was edited by: cabrower
  • Gordon Davisson Level 3 Level 3
    The LDIF in that serverfault entry has some kinda strange things in it. It has the apple-user-homeurl attribute listed, which (according to Apple's PDF) it shouldn't have. It also has the ipHostNumber and macAddress attributes, which should already be there (they were added in the R2 update to Windows Server 2003). And it has several possSuperiors's listed by OID rather than name (which I think I've seen cause problems). And it has apple-configuration set up as an auxiliaryClass of the AD Configuration class, which does not match the Apple PDF (and if I understand it, conflicts with the way apple-configuration is used).

    So I wouldn't especially trust that serverfault entry...
  • Martin van Diemen Level 1 Level 1
    Attribute apple-user-homeurl is bothering me. I can not make clear if this if why I'm not able to mount an AFP home folder.

    The White Paper [Modifying the Active Directory Schema to Support Mac Systems|] does not mention this attribute. Knowledge base article [TA21377|] does mention apple-user-homeurl although this article could be outdated.

    The attribute should contain the URL to the user's home folder. It seems that it's not required when only NFSHomeDirectory is set and you make use of NFS.

    Any ideas?
  • mike.pinto Level 1 Level 1
    Is it possible to create computer groups within WGM? I'm able to apply managed preferences to individual users and computers but cannot create computer groups within WGM. Reading through the logs I've found this:

    2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Using existing connection for - user bingc@FLAGLERSCHOOLS.COM cache MEMORY:YVKESUz
    2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Attempting to Create Record Type dsRecTypeStandard:ComputerLists Name Untitled_1
    2010-10-15 14:09:41 EDT - T[0xB0081000] - Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=flaglerschools,DC=com with FAILED - LDAP Error 19

    2008 R2 with 10.6.4
  • cabrower Level 1 Level 1
    Hi Mike, I have been trying to do the same thing. I can apply preferences to either a specific user/computer but not a user group or computer group which is rather ridiculous...
  • cabrower Level 1 Level 1
    Gordon, what is the recommended way to obtain the schema if I don't have a OS X Server available? I already applied the schema I found at the servervault website :-/

    Im hoping there isn't much damage done by that... I know you can't remove schema once it's in place...
  • djimenez Level 1 Level 1
    The LDIF worked okay for me!
Previous 1 2 Next