Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Lion Server, Profile Manager and Active Directory Users/Groups

I have managed to get Profile Manager working and have enrolled a number of iOS devices using AD user accounts. The devices appear with the correct name of the user that enrolled them.


On Friday the user's tab of the profile Manager webpage suddenly displayed the list of AD users that had enrolled the devices. I got very excited and then the users disappeared when I refreshed the webpage. Now they are gone forever . . . . . 😢 😟


The Groups pane only lists members for the OD Groups. All of the AD Groups appear as No Members.



The Lion Server is successfully bound to the AD Domain and I have extended the Forest with the Apple Schema change.


I can interact with AD Users using Workgroup Manager and the Directory Utility, however all of the AD Groups have no members.


I really need to be able to apply profiles to AD User Groups, but until the Lion Server sees the members it's never going to work . . . .


Any ideas ?


Phil

Mac mini, Mac OS X (10.7.3)

Posted on Apr 23, 2012 7:15 AM

Reply
14 replies

Apr 24, 2012 12:53 AM in response to LeicHIS

Bit of an update . . . .


I have noticed that users appear in the Users list within Profile Manager after they enrol a device. I can then apply a profile to the user account and the settings appear on the device. All good . . .


However, if I log out of Profile Manager and log back in again, the new users have disappeared. The profile assigned to the user remains on the device and the task to push the User profile is still in the Completed Tasks list.


I still have no members of AD groups within Workgroup Manager.


Phil

May 25, 2012 9:59 AM in response to LeicHIS

I have run into these same issues. I have a friend who has a Profile Manager server working much differently.


For his server when he goes to Users or Groups it doesn't show a list it just shows "Search for Users" or "Search for Groups" and allows him for both users and groups to search Active Directory even if the users have never enrolled a device with the server.


I haven't been able to figure out how his server is working that way and he hasn't been able to remember it at the moment. He thinks a lot of it is due to the size and number of groups in their AD structure, but I'm not sure.


A lot of the other things with this server also seem to relate to the order in which you did various steps during setup. I'm not sure I've ever worked with a Server OS that is as quirky as Lion Server has been while trying to set up Profile Manager...

Jun 1, 2012 11:04 AM in response to Salvador G

The same bug is still in 10.7.4


It is unfortunate that Profile Manager/OS X can't see the members of an AD group. Configuring a management profile on an AD group works great for the initial enrollment, but in my testing, making a change to the settings for an AD group doesn't cause those settings to be pushed out to the members of that group. I believe this is because the group is seen as having no members, so it only works during the enrollment. This pretty much makes settings configured on Domain groups useless unless you never plan to change them...


Due to these domain groups issues and due to the disappearing users I have given up on a lot of how I was hoping to manage the server. I now manage settings through groups created in the server app on OS X, and to circumvent the disappearing users issue I have to manually import users from AD into the users section of the Server App.


This seems to work well enough and is the best way I have figured out.


Ian

Aug 8, 2012 1:40 PM in response to LeicHIS

Having the same issue. Using a 10.8 server.


Just got profilemanager to join devices. However I dont see any users in Profilemanager besides the local admin and the OD Admin.

In the server app I can see the AD users. They are listed differently than in 10.7.3-4 server app and there doesnt appear to be an option to import users.


It would be ideal to be able to add AD users to the profile manager so they can enroll their devces. Or records can be keep base on whos devices it is.

Sep 11, 2012 11:53 PM in response to LeicHIS

Apple's AD integration has been terrible, especially with the release of Lion. I submitted a bug that affects network map parent folders well over a year ago and they have not fixed it four releases later. The best solution that I have found for me is this.


1. Unbind your server from AD

2. Download Centrify Express

3. Use Centrify ADJoin to bind your server back to your AD

4. Open Server.app and click Manage>Connect to to a directory server (or something similar)

5. Import your user groups like you would normally.


This time your server should behave correctly. I gave up on Apple's AD integration a long time ago. Centrify has more vested interest in maintaining their product.

Lion Server, Profile Manager and Active Directory Users/Groups

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.