Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Windows Group Policy and Mac OS X

We are interested in setting up Macs in our Windows based environment. If we were to bind the Macs into our Domain would any Windows Group Policies affect the Macs, whether it be OS or applications installed on the Mac? The Mac client's will have local accounts setup but will authenticate, once logged in, when mapping to Network shares and printer mappings. I know these are 2 separate platforms but wanted to make sure there was no repercussions.

Mac mini, Mac OS X (10.6.6)

Posted on Feb 25, 2011 8:01 AM

Reply
4 replies

Feb 25, 2011 2:07 PM in response to gbvaler

Hi

Apart from Password Policies there are no other Policies that can be applied out of the box. If you want o manage or provide a controlled user experience you have to look elsewhere.

One way is to extend the AD Schema itself and Baltwo provides links on how to achieve this. This clearly will have repercussions as you will be editing/amending/extending Microsoft's properietary LDAP Database itself. This is not for everyone and I've only come across one AD Administrator who was prepared to have a go. One thing you have to be aware of if you decide to go this way is the real possibility of an SP Update wiping out everything you've done.

That leaves three or four alternatives. One involves installing 3rd-Party Software on the Windows Server itself. This software usually provides an intermediate layer or proprietary 'stub' LDAP Database that 'maps' common and comparable attributes and values that suit both platforms. Another one involves installing 3rd-Party Software on the Mac itself that achieves the same thing. Yet another way would be to manually map everything yourself. The LDAP Connector built into every mac client does facilitate this but it would be an enormous job and would require someone with a deep understanding of both Schemas. You'd still need to download WorkGroup Manager to apply mac-style GPOs if you decided to go this way. Finally you could simply forget managing the macs and be content with just providing the ability to allow any AD User to log into any bound Mac workstation. The built-in AD Connector allows this to happen straight out of the box. Apple have done some of the relevant mappings for you.

Once logged in Users will only have read/write access to their own profile. They will only have read only access to everything else. Even if they wanted to access the mac equivalent of Control Panels (System Preferences) they would still need access to the local admin account's details to do anything. I know of some sites that have taken this approach. They see it as a means giving relaxed access to a platform that is not Microsoft-driven.

You should also be aware there is no native support for DFS in the platform at all.

3rd-Party applications for Windows you may want to consider:

http://www.centrify.com/directcontrol/macosx.asp
http://www.likewise.com/

For DFS Support and the ability to provide current AFP support:

http://www.grouplogic.com/products/extremeZ-IP/

None of these are cheap. There are others which you could Google for yourself but these tend to be the ones most go for.

3rd-party for the Mac:

http://www.thursby.com/products/admitmac.html

Which does provide DFS Support. There is also the Apple preferred option - OSX Server. OSX Server is initially bound to the AD Domain and then promoted to the Mac equivalent of a DC, but with no option to provide SSO. This is by design as SSO is with Active Directory. Once mac client workstations are bound to both domains, OSX Server's management application can be used to provide mac-style GPOs. This is generally referred to as the 'Magic Triangle'. My own preference is AD-OD Integration. OSX Server in this special role simply augments Active Directory as it's only there to provide a means of managing the mac workstations.

Alternatively you could run two parallel directories. I've done it myself a number of times and it works well provided you're aware of what needs to be done.

Finally you could dispense with all of the above and simply download WorkGroup Manager - it's free to download - install it on all the mac workstations and manage the workstation itself using a locally applied policy. That policy will apply to everyone (local or otherwise) logging onto that workstation.

Two obvious things you should be aware of when contemplating integrating the platform into any Active Directory environment. As ever DNS has to be perfect and if your domain is based around .local you will have problems of some sort sooner or later. As usual your mileage may vary.

HTH?

Tony

Windows Group Policy and Mac OS X

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.