Modify Active Directory users and groups from macOS Server

Question

Level 1

20 points

Modify Active Directory users and groups from macOS Server

I've been trying to set up Server to handle the info from Active Directory a million ways but I can't seem to make it work. Whenever I edit anything, or not even edit, but open a user's properties page and click OK instead of Cancel it'll ask me for the domain admin password which I know, I am it, but it won't accept it.

If I type it correctly it will tell me the user is not an administrator on that node. If I type in something random in the box it'll just shake it off as wrong.

I like to make small edits to users without have to me going back and forth to a domain controller. Is this even possible or am I just wasting my time? It must be, otherwise I shouldn't even have options for editing properties of items hosted on other server, right?

I though about trying setting a copy of the AD userbase to Open Directory but at password changing time it'd be a nightmare changing two passwords, my users complain a lot as it is already.

If you could shed some light into this I'd be forever grateful, I've been searching nonstop about this for almost a month now but eveyone talks about the big picture, the end result, but skips management. Even the Apple white papers.

Thanks again.

I'm on Sierra, BTW. AD is on Windows Server 2012 R2, funny thing, I don't have any Windows computers other than the server farm but OS X/macOS OD has proven to be unreliable as a directory service.

Posted on Dec 31, 2016 4:15 AM

Reply

Answer 1

VitaPrimo® Author

Level 1

20 points

Jan 6, 2017 10:15 AM in response to IT_batman

Thank you, that's a very nice read but my goal is to be able to figure out the user capable of editing AD right from Server.app. Using a web browser is not much more different than just having an RDP window into the a domain controller.

I noticed that the path in Server.app when authenticating to AD has the short domain name (the NetBIOS name) in lowercase. I also noticed than when first binding macOS to a domain, this also appears in lowercase on System Preferences, in Directory Utility a second identical search path is created only using changing the lowercase shot domain name for the uppercase one, although it is not automatically selected. I have to manually select it. It is then when the uppercase short domain name become available on System Preferences, if ever.

For a minute there I thought it was a DNS issue but I have checked my DNS servers a million times and everything's fine, Windows computers and even server variants of Linux computers have no issues binding so that rules out DNS as a possible cause.

Before switching to Active Directory I was using Synology's Directory Server which is supposed to be 100% compatible with macOS' but still, I had the exact same issue, I finally gave up not able to edit the directory.

Reply

Answer 2

Jan 9, 2017 5:40 PM in response to VitaPrimo®

It does indeed seem to be the case that Apple do not give you write access to an AD domain. See this slightly older post Re: Active Directory on Mac

Note: I regard Strontium80 as a knowledgable person in this area based on his other previous posts and the fact he is a member of the Apple Consortium Network.

Not that it helps but you can edit an LDAP directory from a Mac e.g. OpenLDAP on Linux.

I would not expect it to work for the same reasons but if you want to try another Apple based solution then try using WorkGroup Manager. While you cannot run the installer for Workgroup Manager in Sierra you can copy the last version of Workgroup Manager to a Sierra based Mac and run it.

Perhaps taking things to an absurd level, there is an iPhone app that does let you do some basic Active Directory administration without the need to remote control a real Windows session. See - https://itunes.apple.com/gb/app/active-directory-assist/id528953910?mt=8

Reply

Answer 3

Jan 2, 2017 5:37 AM in response to VitaPrimo®

" . . . It'll ask me for the domain admin password which I know, I am it, but it won't accept it."

It won't accept the password for OD (if that's the one you're trying to use) because it requires your Domain Controller's password instead. That's because you're trying to edit the user database in Active Directory from a foreign OS.

"I like to make small edits to users without have to me going back and forth to a domain controller . . . is this even possible?"

When viewing the Active Directory node on OS X (makes no difference if it's OS X Server or not) you have read only access. This has always been the case. If you want to make changes to data in Active Directory (users, groups etc) you have to use the tools Microsoft provide which will be available on your DC etc.

Reply

Answer 4

Jan 6, 2017 6:37 PM in response to VitaPrimo®

You can try to use third-party solutions that allow you to manage AD from a macOS machine via Web UI. Here's an example: http://www.adaxes.com/blog/how-to-manage-active-directory-from-linux-or-macos.ht ml

If you want, you can build your own solution that will employ a similar tactics.

Reply

Answer 5

VitaPrimo® Author

Level 1

20 points

Jan 6, 2017 9:33 AM in response to Antonio Rocco

No I wasn't. I was using the AD DC credentials, not the Open Directory credentials.

I gave the delegated full administrative permissions to the macOS Server computer so it could edit AD. Then again, if it's asking me for the AD admin this should suffice so Server.app is able to edit basic stuff. I don't know anymore, I'm getting desperate.

Thanks anyway for your help!

Reply

Answer 6

Jan 6, 2017 11:52 AM in response to VitaPrimo®

"I was using the AD DC credentials, not the Open Directory credentials"

Makes no difference as it still won't work. You only get read only access when viewing AD users and groups using the Server.App.

"I gave the delegated full administrative permissions to the macOS Server computer so it could edit AD."

Makes no difference. You still get read only access to AD from the Server.App

"Then again, if it's asking me for the AD admin this should suffice . . ."

No it won't. It's still read only access.

" . . . so Server.app is able to edit basic stuff"

No it won't. It's still read only access.

"I don't know anymore, I'm getting desperate."

If you haven't got the message by now stop using Server.App to edit information in Active Directory. It won't work. Use the tools Microsoft provide to stop your desparation.

"Thanks anyway for your help!"

You're welcome!

Reply

Answer 7

VitaPrimo® Author

Level 1

20 points

Jan 9, 2017 5:59 PM in response to John Lockwood

Thanks, this is the most helpful answer I've found. I thought of Workgroup Manager before but there was the Sierra limitation--till now. This is a great tip, thanks.

I did had the iOS app but, except for the directory service, my network is all Apple so I thought, why not manage directly from "Apple", it makes sense. That's why I use Macs, they're more or less frustration-free.

Remote Desktop Services's RemoteApps makes it easy(-ier) to work with some stuff such as the things you work on everyday when you're just setting up the network, like DHCP, DNS and AD Users and Groups, but there's the whole ctrl/cmd-, alt/opt-switch, it makes the most keyboard-centric users nuts, even if you're working within the same desktop it's not really the same environment. Nothing would beat just adding a user or moving it within the directory directly in Server.app.

Thanks!

Reply

Answer 8

Apr 7, 2017 10:23 AM in response to VitaPrimo®

I have this problem on about 8 systems, interesting note... this has only been an issue since the upgrade to Server 5.x I have several systems running 3.x and 4.x and I can give active directory users permissions on those systems. As well if I upgrade from v4-5 to carries over the Active Directory user settings from the previous version but you can not change any of them. This leads me to believe that the file that contains the records of these changes is locked with the new version of the OS. Where this file is is a mystery.

Reply