Populate users from Active Directory to Open Directory

I upload a better version of the picture here:

Ah, I see that I posted to the wrong group. Should have been "OS X Server".

I am not authorized to move it to "OS X Server".

Hi Antonio,

Answer to your questions:

1. The employee on the Macbook is an existing user in Active Directory.

2. The Macbook is not (not yet) a registered Computer in Active Directory. And it is not bound to AD. Under Preferences-->Users&Groups-->Login Options, I only have the Open Directory registered as a Network Account Server, not AD.

Thanks again for your reply.

(A little background about the company so you get the picture: for years, the few, but now quickly increasing, OS X users, "have been on their own". IT helps them purchase the computers, but the users are on their own after that. IT is only concerned with Windows images and PCs. So the OS X users are creating local administrator accounts, not integrated with AD, not having home folders or printer access. Most OS X users have a corporate Windows VM on their OS X they fire up if they need SharePoint, printer or other corporate stuff. It's time to put an end to that. But we must try to do it smoothly - the users must keep their local admin rights and freedom.

We shall implement an Mobile Device Management (MDM) solution to push the Open Directory profile to the MacBooks.

I picture that in the login window, the existing OS X users, after MDM enrollment, will get the grey "Other" icon on the right, inviting them to login with their AD credentials.

And here "the new story starts", where they have access to corporate resources like printers, home folders, SharePoint and all the stuff they need, without use of the corporate Windows in the VM.

They might need to move their stuff from their previous local account to their new account.)

First one question: does the machine querying AD, has to be registered as a Computer in AD to retrieve response from AD?

In that case: if we register the name of the Macs in AD beforehand (or under MDM enrollment), will the registered AD user be able to authenticate from the registered Computer(Macbook) afterwards?

What we did to get OD response with the "id" command: We pushed an Open Directory/LDAP profile to the Macbook via MDM. That is how we bound the machine to Open Directory. But we did not log on to the Macbook with the Open Directory credentials, only with the existing local account. But since it was bound to OD via the MDM profile, and we did the "id" command for a "Local Network Account" registered on that OD, we got a response.

That said, we have also tried to go to the login window, and the grey "Other" icon appears to the right of the local users registered.

Scenario A: We entered the OD registered user ID (different from the locally registered IDs on the Macbook) - and we got a successful login.

Scenario B: We entered an AD registered user ID, but the login was unsuccessful. Maybe because the Computer name is not registered in AD?

I shall try to get the Macbook we are testing with, registered into Computers in AD.

Hi,

Antonio is correct. My setup as described, won't work.

I misunderstood the setup. I thought OD could be a relay between the clients and AD.

In a setup where we shall utilize features delivered from OS X server, we must set it up as is described under "the golden triangle". And in a triangle, each node is connected to two others. So the OS X client must be bound both to the OD server and to the AD server.

When I configured the AD directory server (in addition to the existing OD), things started to fall in place: access to home folder, printers and such, delivered from AD.

And Antonio, you are right: I do not really need the OD server since I configure the OS X clients from AirWatch.