Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Directory Services Methods

I am at a little stopping point and could use some asistance...

I am configuring remoted management for our various systems. I utimately need to only allow certain users to "ard_interact" on certain machine and other users to "ard_manage" / "ard_admins" on other machines. IE... I don't want all my editros to be able to interact with my servers.


Ideal would be to set specific "ard_admins / manage / interact" on a certain COMPUTER GROUP.


I have been reading the methods described here:

http://docs.info.apple.com/article.html?path=RemoteDesktop/3.0/en/ARDC55.html


Method 2 has me creating the users groups on OD call "ard_admin..." and so forth. I can them add users to this groups. I can have my editors as "interact", but they would still be able to interact on servers. I have this working fine with just admins...being admins.


BUT, Method 1 would be ideal as it seams to be a way to apply these setting from a compuer group basis.


Method 1 shows us to apple the xml data as a new line in the MCXSetting for a computer groups. I have been trying this with no success. My steps:

1. Changes Client to allow "Directory Authentication"

--- this worked as I can get method 2 to work.

2. I have NO ard_XXX groups in OD, as to not create confusion.

3. I create an XML, and test the plist with xcode that states the differenct usergroups for ard_admins and ard_interact.

4. I open the directory editor (lion) or inspector in snow, locate the computer group in the LDAP, find the existing MCSSettings.

5. I "+" add a value and then paste the xml code in"

6. After reboots, the macs in the group will not let me manage (testing using screen share is easiest).


So...I'm trying to firgure out where I went wrong in the past fews days or where I misunderstood..

One thing that is very unclear in the documentation is where and whice MCXSettings are we suppossed to append? Compuer Groups, Computer Lists? Forgive my ignorance here as I try these out.


Method 2 will work, but, I really need to open it up to my non-admins and get method 1 to work giving me different ARD settigns for different computer groups.


-mt

Posted on Feb 2, 2012 8:27 PM

Reply
3 replies

Feb 4, 2012 1:49 PM in response to mtimmons

AD or OD access to ARD has some limitations. For instnace, what happens if your client computer is not reconising the OD? Perhap it was just turned on or the binding has failed. What if the date & time is off? What if another client was binded to the OD that had the same KDC?


To kick start to work it need to be ran on the client computer. If you have a computer that already has ARD access you can send unix command as user root. If your sending the command as root, you don't need to include sudo at the start of the command.


Or if you have Remote Access enabled on the client you can use the terminal to ssh into the client. (ssh user@computerIP) and then issue the command.

Apple Remote Desktop: Configuring remotely via command line (kickstart):

Additional Information

Tip: For more information about using the kickstart command, add the -help flag. For example:

$ sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -help



kickstart -help on (10.7.2):


- Use Directory Server accounts for authentication. Users must be a member of one of the ARD directory groups to authenticate.

kickstart -configure -clientopts -setdirlogins -dirlogins yes


-clientopts

-setmenuextra -menuextra yes

-setdirlogins -dirlogins yes

-setdirgroups -dirgroups ardadmin,ardinfo

-setreqperm -reqperm no

-setvnclegacy -vnclegacy yes

-setvncpw -vncpw FB842344CE89E9E9AA99889233864DDA

-setwbem -wbem no


ie


sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -activate -configure -access -on


sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -configure -clientopts -setdirlogins -dirlogins yes -setdirgroups -dirgroups ardadmin,ardcontrol


(ardadmin,ardcontrol are the groups being given ARD access)


sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -restart -agent

Feb 4, 2012 2:05 PM in response to TeenTitan

Thanks for the help...

I actually tried that...I don't know how you are getting those groups in the -help in 10.7.2 or even 10.6.8.


look:

GVM-ADSK-GTWY:~ root# /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -help

<oteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setdirlogins -dirlogins yes -setdirgroups -dirgroups prod_admins

Unknown option: setdirgroups

Unknown option: dirgroups


.....


It seems kickstart does not use those commands anymore.


Any more ideas?

Directory Services Methods

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.