Hi all iv been racking my brain with this one so if anyone can help i would appreciate.
i have recently set up a OS Server that i want my service desk and desktop teams to become administrators of. i have binded to our current Windows AD and can see all of our AD users.
every time i tick the box to grant log in ability it prompts me to change their Pass Word. i don't want to do this. i simply want to enable admin access. is their a way around this?
You can do this either using Terminal or the GUI. In Terminal you'd use dsconfigad (man dsconfigad) for usage and example. Something like:
dsconfigad -groups "DOMAIN\domain admins,FOREST\enterprise admins,DOMAIN\desktop techs"
Should do it? Obviously change the above to suit your domain. Using the GUI you'd drill down into Directory Utility's Advanced options:
Click the lock icon, provide the local admin details then click pencil icon and you should see this:
The topmost fields should contain the AD's domain details as well as the Mac client computer's name. Tick the obvious box. You could leave it as it is unless you've arranged your OUs differently in which case browse/add the ones you want.
Sorry for the misunderstanding.
Back in the day when Apple had a product called OS X Server and it was what most of us would have said was a ‘proper’ server, it only ever had read only access to AD.
Over the last 5-6 years Apple have dumbed it down to what you see now. Strangely they’re still calling it a ‘server’ but we all know it isn’t really. At best it’s a management tool or MDM. Sadly and unfortunately not a very good one at that. With that in mind and unless anyone else knows any different, I doubt if its historic read-only ability has changed. If you’re being prompted to change an AD users password on login then I can’t see how that change can be made/written to a non-LDAP based schema such as AD.
Of course it will always work with a locally created user because that’s how Apple designed it.
What’s wrong with using Safari on a client Mac or IE on a PC to access PM’s web portal with diradmin’s credentials instead? Simpler and with less hassle. Especially true if you’re trying to approach this in a ‘Windows’ way. No need to log into anything, server or otherwise. Again this too, AFAIK, is by design.
thanks for the advise. This has been completed already. and my users can access Macs individually, what I am referring to is access to profile manager.
as you can see I have selected myself as an example and attempted to give myself the ability to log onto the OS profile manager when this box is selected I am prompted to change admin creds which I do not want to do.
this is the part I am having issues with.
if the account is local it will allow me to tick this box with no issue. its only affecting AD accounts.
Apple OS server Admin Access with AD Creds