Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Malik-O
Malik-O Author
User level: Level 1
1 points

What is the risk for my Active Directory when you make a magic triangle ?

Hi hello


I want know that because, i need installed a lion server in my company, in the production server.


Now i have make a magic triangle in my labo, i don't have noted a problem with my AD.


1 ) What's risk for my AD when i make a magic triangle ?


2 ) The Director Administrator ( diradmin ) of Open direcory need rights in the Active Directory for manage Mac os x client ? if yes what's rights ?


3 ) Can confirm me that ==>>> When i want manage users Macs, i need create a local group in the open directory " MacUsers" , and in this group i add users from the "AD" is that ?? i want to be sure what i do ....


4 ) for the account computer Mac in registred in my AD, what's i can do ?


5 ) For the MCX, i appply the preference in the Users or Computer ?


Thanks you for your help

Xserve, Mac OS X (10.7.4), lion server

Posted on Jul 19, 2012 1:33 PM

Reply
4 replies
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,278 points

Jul 19, 2012 1:48 PM in response to Malik-O

Hi


Q1 - There is no risk. Any Mac (Client or Server) bound to AD has read only access.


Q2 - If all you want is AD-OD Integration diradmin needs no rights at all. However depending on what you want to do exactly or how you want to organise the integration you may want to create the account in AD and use it to 'bind' mac workstations to the domain.


Q3 - I would always create a group in the LDAP node and nest AD Users or Groups within that group. This is the "method" most of us experienced in doing this over the years, use.


Q4 - There is nothing you can do or need do. You could of course delete it from the Computers OU if you want to but what would be the point of that?


Q5 - You can't apply MCX to AD Users directly. Remember you have read only access. You could explore Augmented Records if you wish but in a 'classic' AD-OD Integration there would not be much point IMO? If it was me I would apply MCX to the OD Group you nested your AD Users and/or Groups within.


You could of course simply apply MCX to the mac workstations and they would work equally as well.


You should be aware that Apple are deprecating MCX in favour of Profile Management. In an all 10.7 environment you should be using Profile Manager and not WorkGroup Manager. In a mixed OS environment you should be using WorkGroup Manager.


HTH?


Tony

Reply
User profile for user: Malik-O
Malik-O Author
User level: Level 1
1 points

Jul 19, 2012 2:27 PM in response to Antonio Rocco

Hi


Thanks you for your reply


Q1 : OK

Q2 : OK

Q3 : Can you explain me step by step ? when you tell " create LDAP node " what is exactly ? in group in the open directory ? is what i have do ??


Me i have create a group nommed " MacUsers" with the applications "server" and in this group i have import "Users" from AD . is the same plan from you ?


Q4 : OK


Q5 : When i apply my mcx, i apply this in the group nommed " MacUsers" with inside the list of users import from AD . is good that ? please tips me


And for finish i don't understand when you says Apple deprecating MCX in favour of profile management ??

What's that ?


Profile Manager : is manage computer by applications Profil Manager installed by default in lion server ??? with the MDM certificate ?


Workgroup Manager : is manage computer by admin tools ( you need download this ) me i use that for manage preference of computer , is no good ???


I have never use again profile manager ? is good ? i can push mcx to the mac client ?


Thanks

Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,278 points

Jul 20, 2012 3:36 AM in response to Malik-O

Hi


Q3 - You create a shared directory (the LDAP node) when you promote the Server to an Open Directory Master Role. Judging by what you're saying you've already done this. The Users and/or Groups you're creating after promotion will be in the shared directory (the LDAP node). You can tell which node Users and/or Groups are in by simply looking at them in the Server App. If they have a small blue globe icon on their right shoulder they will be in the LDAP node. If they don't they will be local users and not in the shared directory (the LDAP node).


To view them in WorkGroup Manager, launch the application and authenticate using the Directory Administrator account. Above the main interface window you should see a small blue globe. The shared directory will be listed by the side of this icon as: Viewing Directory: /LDAPv3/127.0.0.1 etc.


Q5 - MCX (Managed Cleint X) is Apple's equivalent to GPOs (Global Policy Objects). If you're familiar with Active Directory you'll know what this means.


Deprecation means "not using anymore". In other words you should not be using WorkGroup Manager to apply mac-style GPOs. You should be using Profile Manager instead. Profile Manager is the 'new' way to apply mac-style GPOs.


Profile Manager is part of Lion Server. It's also known as the MDM Server (Mobile Device Management Server).


It's up to you to decide what is good for your environment and needs. In some situations I'll use both and possibly augment them with Apple Configurator and Apple Remote Desktop. Then again in other sitations I'll use other numerous 3rd-Party tools available.


HTH?


Tony

Reply

What is the risk for my Active Directory when you make a magic triangle ?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up