Main Nav

Good morning friends,

For those of you that are in a mixed Mac and PC environment, how do you manage your Macs as far as desktop policy is concerned? Are you using a tool that ties into AD, using Apple's OD or something else?

Respectfully,

Mark Scott
VP of Innovation and Technology, CTO
Freed-Hardeman University | 158 E. Main St. | Henderson, TN 38340
731-989-6002 | mscott@fhu.edu | Twitter: http://twitter.com/m_scott

Cyber Security Awareness - FHU Online Safety
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.
Thanks!
Brian

Brian Miller
V.P. Information Technology Services & CIO
Davenport University
6191 Kraft Ave. SE / Broadmoor Suite 270
Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

Follow us on Twitter: https://twitter.com/DavenportU
Rate my Customer Service: http://great.davenport.edu/



We have just started using policy manager and ARD to some extent to manage the Mac environment similar to our PC environment.  We are also in the process of updating all of our Mac clients that we are able to upgrade to 10.8.2 and binding them to AD from login. 

 

 

Chris Steele
Technical Services Analyst, Information Technology

Angelo State University

Member, Texas Tech University System

ASU Station #11020

San Angelo, TX 76909-1021

Phone: (325) 486-6204  

csteele@angelo.edu

 

 

 

 

Hello All,

IF this is needed to get the job done that that cost will go to UCF and not Valencia. I would say, make it part of the quote.

 

Thanks,

Bruce

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent: Thursday, November 15, 2012 9:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.

Thanks!

Brian


Brian Miller
V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270

Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

 

Follow us on Twitter: https://twitter.com/DavenportU

Rate my Customer Service: http://great.davenport.edu/



Hello

We have the same issue . We love to learn what other are doing

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent: Thursday, November 15, 2012 8:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.

Thanks!

Brian


Brian Miller
V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270

Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

 

Follow us on Twitter: https://twitter.com/DavenportU

Rate my Customer Service: http://great.davenport.edu/



We just looked at a product called Centrify, which was very interesting.  You can do it yourself by extending the AD schema and using Open Directory.  There is also a good product called AdmitMac.  We are looking at a product called Kanaka, but it's limited in what it can do with policy.

Darrell Lutey
Assistant Director, 702-895-0763
Office of Information Technology, UNLV
CBC B129 / Mail Stop 7040
http://oit.unlv.edu  |  Twitter@unlv_oit
IT Help Desk: 702-895-0777




From:        Mohamed Elhindi <melhindi@UWLAX.EDU>
To:        CIO@LISTSERV.EDUCAUSE.EDU
Date:        11/15/2012 07:04 AM
Subject:        Re: [CIO] Macs and AD
Sent by:        The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>



Hello
We have the same issue . We love to learn what other are doing
 
From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent:
Thursday, November 15, 2012 8:22 AM
To:
CIO@LISTSERV.EDUCAUSE.EDU
Subject:
Re: [CIO] Macs and AD
 
We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.
Thanks!
Brian

Brian Miller

V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270
Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu
 
Like us on Facebook: https://www.facebook.com/ITSDavenport
Follow us on Twitter: https://twitter.com/DavenportU
Rate my Customer Service: http://great.davenport.edu/


Chip, if you wanted to pass something along to the CIO list:

At UW-Eau Claire we have been binding our Mac computers to AD with the native Directory tools built into OS X since at least Panther. At the time we also had made use of UNIX attributes within AD to derive home directory path and preferred shell, as well as provide other basic information. The first few versions of OS X that could bind to AD were not fun to work with in many respects and had lots of bugginess. Because our users have windows server based home directories it is nice that they mount for them at login automatically.

Since Leopard AD integration has become much better and at this point we do not really utilize any of the UNIX attributes within AD, just the standard ones available for home directory and other information. At the time of binding a system we also ensure we set the AD group(s) that should have administrative rights to the computer, which allows us to maintain the information for our local management account to a few key people in the event AD fails, which is rare. To make an individual AD account an admin requires them to have logged in once and then go into the Users System Preferences pane to enable them as an administrator the next time they login as the AD plug-in only handles AD groups.

Binding a Mac to AD can be done by hand fairly easily through the Directory Utility GUI in recent versions of OS X, or it can be scripted to use the underlying command line utility that does the work for Directory Utility. In our case we have the AD bindings predefined within our JAMF Software Server for Mac management (part of the JAMF Casper Suite) and at the time we image the Mac it also binds it to AD. However, we can also use those same bindings to remotely bind a Mac that's in our JSS management system to AD if it has been removed from AD for some reason.

Other things that have caused issues related to AD are that if the computer bound to AD can not talk to an AD server, if user accounts are not created as Mobile Accounts the user will not be able to login if AD is not available. If AD is not available the AD groups that are set as administrators will not be treated as an administrator. Those accounts designated as an administrator via an AD group within the AD bindings always require AD to be present to have those rights unless that individual user gets set as admin locally. In dual-boot scenarios the Windows side handles the system clock differently than how OS X handles it and if you don't make changes to how it reads the computers own system clock it will change its time. What happens is you then get a 6 hour skew from GMT and if your tolerance for AD is only a 5 minute skew no user will be allowed to login to the Mac when you go back from the Windows side.
 
 
Chip Eckardt
CIO
UW-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
eckardpp@uwec.edu
 
From: Mohamed Elhindi
Sent: ‎November‎ ‎15‎, ‎2012 ‎9‎:‎04‎ ‎AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD
 

Hello

We have the same issue . We love to learn what other are doing

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent: Thursday, November 15, 2012 8:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.

Thanks!

Brian


Brian Miller
V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270

Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

 

Follow us on Twitter: https://twitter.com/DavenportU

Rate my Customer Service: http://great.davenport.edu/



From our tech staff:

We had started out by using Centrify but discovered that contained too many issues to handle.  When installing Centrify we would follow the same setup instructions on 10 similar macs (Macbook Pro with OS X 10.6) and would be given 10 different outcomes.  When installing it on the presidents' secretaries computers one installed perfectly and the other (following the same install steps) took 2 hours of troubleshooting.  Once we had Centrify installed only some of the group policies set would be applied and would disappear at random.  We have recently moved away from Centrify and are now looking into using Apples OD to join the domain and software called Puppet to manage the Mac computers.  Puppet is opensource software and can be used to manage Linux,Mac OS X, and  Windows computers/servers.  If you would like more information on Puppet please see the following link (http://puppetlabs.com/)   

Theresa

Chip... This is very useful information. We are just about to setup a Mac server for Open Directory to handle binding Macs to our new AD. Seems as if we may not need that. I'll have that looked at again. Can we contact you with questions?

Mike Meyer
Chief Information Officer
Honolulu Community College
University of Hawaii
808.844.2308

On Nov 16, 2012, at 4:19 AM, "Eckardt, Chip" <eckardpp@UWEC.EDU> wrote:

Chip, if you wanted to pass something along to the CIO list:

At UW-Eau Claire we have been binding our Mac computers to AD with the native Directory tools built into OS X since at least Panther. At the time we also had made use of UNIX attributes within AD to derive home directory path and preferred shell, as well as provide other basic information. The first few versions of OS X that could bind to AD were not fun to work with in many respects and had lots of bugginess. Because our users have windows server based home directories it is nice that they mount for them at login automatically.

Since Leopard AD integration has become much better and at this point we do not really utilize any of the UNIX attributes within AD, just the standard ones available for home directory and other information. At the time of binding a system we also ensure we set the AD group(s) that should have administrative rights to the computer, which allows us to maintain the information for our local management account to a few key people in the event AD fails, which is rare. To make an individual AD account an admin requires them to have logged in once and then go into the Users System Preferences pane to enable them as an administrator the next time they login as the AD plug-in only handles AD groups.

Binding a Mac to AD can be done by hand fairly easily through the Directory Utility GUI in recent versions of OS X, or it can be scripted to use the underlying command line utility that does the work for Directory Utility. In our case we have the AD bindings predefined within our JAMF Software Server for Mac management (part of the JAMF Casper Suite) and at the time we image the Mac it also binds it to AD. However, we can also use those same bindings to remotely bind a Mac that's in our JSS management system to AD if it has been removed from AD for some reason.

Other things that have caused issues related to AD are that if the computer bound to AD can not talk to an AD server, if user accounts are not created as Mobile Accounts the user will not be able to login if AD is not available. If AD is not available the AD groups that are set as administrators will not be treated as an administrator. Those accounts designated as an administrator via an AD group within the AD bindings always require AD to be present to have those rights unless that individual user gets set as admin locally. In dual-boot scenarios the Windows side handles the system clock differently than how OS X handles it and if you don't make changes to how it reads the computers own system clock it will change its time. What happens is you then get a 6 hour skew from GMT and if your tolerance for AD is only a 5 minute skew no user will be allowed to login to the Mac when you go back from the Windows side.
 
 
Chip Eckardt
CIO
UW-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
eckardpp@uwec.edu
 
From: Mohamed Elhindi
Sent: ‎November‎ ‎15‎, ‎2012 ‎9‎:‎04‎ ‎AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD
 

Hello

We have the same issue . We love to learn what other are doing

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent: Thursday, November 15, 2012 8:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.

Thanks!

Brian


Brian Miller
V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270

Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

 

Follow us on Twitter: https://twitter.com/DavenportU

Rate my Customer Service: http://great.davenport.edu/



Craig Ernst ernstcs@uwec.edu  would be the one to contact.  He is our Mac expert.  My posting was an email response that Craig wrote.  Craig did not have rights to email the listserv so he sent the reply to me.

 

Chip

Chip Eckardt
CIO
University of Wisconsin-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
Phone 715-836-4636 ext. 362381
eckardpp@uwec.edu

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Meyer
Sent: Friday, November 16, 2012 9:47 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

Chip... This is very useful information. We are just about to setup a Mac server for Open Directory to handle binding Macs to our new AD. Seems as if we may not need that. I'll have that looked at again. Can we contact you with questions?

 

Mike Meyer

Chief Information Officer

Honolulu Community College

University of Hawaii

808.844.2308


On Nov 16, 2012, at 4:19 AM, "Eckardt, Chip" <eckardpp@UWEC.EDU> wrote:

Chip, if you wanted to pass something along to the CIO list:

 

At UW-Eau Claire we have been binding our Mac computers to AD with the native Directory tools built into OS X since at least Panther. At the time we also had made use of UNIX attributes within AD to derive home directory path and preferred shell, as well as provide other basic information. The first few versions of OS X that could bind to AD were not fun to work with in many respects and had lots of bugginess. Because our users have windows server based home directories it is nice that they mount for them at login automatically.

 

Since Leopard AD integration has become much better and at this point we do not really utilize any of the UNIX attributes within AD, just the standard ones available for home directory and other information. At the time of binding a system we also ensure we set the AD group(s) that should have administrative rights to the computer, which allows us to maintain the information for our local management account to a few key people in the event AD fails, which is rare. To make an individual AD account an admin requires them to have logged in once and then go into the Users System Preferences pane to enable them as an administrator the next time they login as the AD plug-in only handles AD groups.

 

Binding a Mac to AD can be done by hand fairly easily through the Directory Utility GUI in recent versions of OS X, or it can be scripted to use the underlying command line utility that does the work for Directory Utility. In our case we have the AD bindings predefined within our JAMF Software Server for Mac management (part of the JAMF Casper Suite) and at the time we image the Mac it also binds it to AD. However, we can also use those same bindings to remotely bind a Mac that's in our JSS management system to AD if it has been removed from AD for some reason.

 

Other things that have caused issues related to AD are that if the computer bound to AD can not talk to an AD server, if user accounts are not created as Mobile Accounts the user will not be able to login if AD is not available. If AD is not available the AD groups that are set as administrators will not be treated as an administrator. Those accounts designated as an administrator via an AD group within the AD bindings always require AD to be present to have those rights unless that individual user gets set as admin locally. In dual-boot scenarios the Windows side handles the system clock differently than how OS X handles it and if you don't make changes to how it reads the computers own system clock it will change its time. What happens is you then get a 6 hour skew from GMT and if your tolerance for AD is only a 5 minute skew no user will be allowed to login to the Mac when you go back from the Windows side.

 

 

Chip Eckardt
CIO
UW-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
eckardpp@uwec.edu

 

From: Mohamed Elhindi
Sent: ‎November‎ ‎15‎, ‎2012 ‎9‎:‎04‎ ‎AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

Hello

We have the same issue . We love to learn what other are doing

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent: Thursday, November 15, 2012 8:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.

Thanks!

Brian


Brian Miller
V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270

Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

 

Follow us on Twitter: https://twitter.com/DavenportU

Rate my Customer Service: http://great.davenport.edu/

 

We've tried the "golden triangle" that apple recommends which includes their open directory, but without much success.  We had hoped to find a better solution for mounting network drives  automatically (for example) instead of doing it manually for each user on each machine, but found that those mounts break just as often requiring reboots, etc.  The biggest problem we have had is that the apple server locks up fairly often.  Anyone who boots up their machine during that time logs on and has a blank desktop, no dock, no anything.  I'm ready to ditch open directory and the mac server and go back to doing things manually, but then our apple population is rather small.


Richard Hiers
Director of IT Services
Covenant Theological Seminary
314.392.4111, option 4

 

IT Services will NEVER ask for your password via Email or phone!



From: Michael Meyer <mmeyer@HAWAII.EDU>
Reply-To: EDUCAUSE Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Fri, 16 Nov 2012 05:47:20 -1000
To: EDUCAUSE Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] Macs and AD

Chip... This is very useful information. We are just about to setup a Mac server for Open Directory to handle binding Macs to our new AD. Seems as if we may not need that. I'll have that looked at again. Can we contact you with questions?

Mike Meyer
Chief Information Officer
Honolulu Community College
University of Hawaii
808.844.2308

On Nov 16, 2012, at 4:19 AM, "Eckardt, Chip" <eckardpp@UWEC.EDU> wrote:

Chip, if you wanted to pass something along to the CIO list:

At UW-Eau Claire we have been binding our Mac computers to AD with the native Directory tools built into OS X since at least Panther. At the time we also had made use of UNIX attributes within AD to derive home directory path and preferred shell, as well as provide other basic information. The first few versions of OS X that could bind to AD were not fun to work with in many respects and had lots of bugginess. Because our users have windows server based home directories it is nice that they mount for them at login automatically.

Since Leopard AD integration has become much better and at this point we do not really utilize any of the UNIX attributes within AD, just the standard ones available for home directory and other information. At the time of binding a system we also ensure we set the AD group(s) that should have administrative rights to the computer, which allows us to maintain the information for our local management account to a few key people in the event AD fails, which is rare. To make an individual AD account an admin requires them to have logged in once and then go into the Users System Preferences pane to enable them as an administrator the next time they login as the AD plug-in only handles AD groups.

Binding a Mac to AD can be done by hand fairly easily through the Directory Utility GUI in recent versions of OS X, or it can be scripted to use the underlying command line utility that does the work for Directory Utility. In our case we have the AD bindings predefined within our JAMF Software Server for Mac management (part of the JAMF Casper Suite) and at the time we image the Mac it also binds it to AD. However, we can also use those same bindings to remotely bind a Mac that's in our JSS management system to AD if it has been removed from AD for some reason.

Other things that have caused issues related to AD are that if the computer bound to AD can not talk to an AD server, if user accounts are not created as Mobile Accounts the user will not be able to login if AD is not available. If AD is not available the AD groups that are set as administrators will not be treated as an administrator. Those accounts designated as an administrator via an AD group within the AD bindings always require AD to be present to have those rights unless that individual user gets set as admin locally. In dual-boot scenarios the Windows side handles the system clock differently than how OS X handles it and if you don't make changes to how it reads the computers own system clock it will change its time. What happens is you then get a 6 hour skew from GMT and if your tolerance for AD is only a 5 minute skew no user will be allowed to login to the Mac when you go back from the Windows side.
 
 
Chip Eckardt
CIO
UW-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
eckardpp@uwec.edu
 
From: Mohamed Elhindi
Sent: ?November? ?15?, ?2012 ?9?:?04? ?AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD
 

Hello

We have the same issue . We love to learn what other are doing

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent: Thursday, November 15, 2012 8:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.

Thanks!

Brian


Brian Miller
V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270

Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

 

Follow us on Twitter: https://twitter.com/DavenportU

Rate my Customer Service: http://great.davenport.edu/



We join to AD and then use Profile Manager for policy and management on the computer account. Just beware that profile manager has become corrupted for us in the past. Make sure you setup time machine to back up to the second drive if you are using a Mac Mini “Server”.  Feel free to contact me off list if you want to know more.

 

 

_____________________________________

Tim Cappalli | Asst. Network Administrator

+1 (802) 424-0550 | cappalli@lyndonstate.edu

Office of Information Technology (OIT)

Lyndon State College

oit.lyndonstate.edu | @LyndonOIT

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eckardt, Chip
Sent: Friday, November 16, 2012 1:42 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

Craig Ernst ernstcs@uwec.edu  would be the one to contact.  He is our Mac expert.  My posting was an email response that Craig wrote.  Craig did not have rights to email the listserv so he sent the reply to me.

 

Chip

Chip Eckardt
CIO
University of Wisconsin-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
Phone 715-836-4636 ext. 362381
eckardpp@uwec.edu

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Meyer
Sent: Friday, November 16, 2012 9:47 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

Chip... This is very useful information. We are just about to setup a Mac server for Open Directory to handle binding Macs to our new AD. Seems as if we may not need that. I'll have that looked at again. Can we contact you with questions?

 

Mike Meyer

Chief Information Officer

Honolulu Community College

University of Hawaii

808.844.2308


On Nov 16, 2012, at 4:19 AM, "Eckardt, Chip" <eckardpp@UWEC.EDU> wrote:

Chip, if you wanted to pass something along to the CIO list:

 

At UW-Eau Claire we have been binding our Mac computers to AD with the native Directory tools built into OS X since at least Panther. At the time we also had made use of UNIX attributes within AD to derive home directory path and preferred shell, as well as provide other basic information. The first few versions of OS X that could bind to AD were not fun to work with in many respects and had lots of bugginess. Because our users have windows server based home directories it is nice that they mount for them at login automatically.

 

Since Leopard AD integration has become much better and at this point we do not really utilize any of the UNIX attributes within AD, just the standard ones available for home directory and other information. At the time of binding a system we also ensure we set the AD group(s) that should have administrative rights to the computer, which allows us to maintain the information for our local management account to a few key people in the event AD fails, which is rare. To make an individual AD account an admin requires them to have logged in once and then go into the Users System Preferences pane to enable them as an administrator the next time they login as the AD plug-in only handles AD groups.

 

Binding a Mac to AD can be done by hand fairly easily through the Directory Utility GUI in recent versions of OS X, or it can be scripted to use the underlying command line utility that does the work for Directory Utility. In our case we have the AD bindings predefined within our JAMF Software Server for Mac management (part of the JAMF Casper Suite) and at the time we image the Mac it also binds it to AD. However, we can also use those same bindings to remotely bind a Mac that's in our JSS management system to AD if it has been removed from AD for some reason.

 

Other things that have caused issues related to AD are that if the computer bound to AD can not talk to an AD server, if user accounts are not created as Mobile Accounts the user will not be able to login if AD is not available. If AD is not available the AD groups that are set as administrators will not be treated as an administrator. Those accounts designated as an administrator via an AD group within the AD bindings always require AD to be present to have those rights unless that individual user gets set as admin locally. In dual-boot scenarios the Windows side handles the system clock differently than how OS X handles it and if you don't make changes to how it reads the computers own system clock it will change its time. What happens is you then get a 6 hour skew from GMT and if your tolerance for AD is only a 5 minute skew no user will be allowed to login to the Mac when you go back from the Windows side.

 

 

Chip Eckardt
CIO
UW-Eau Claire
105 Garfield Ave.
Eau Claire, WI 54701
eckardpp@uwec.edu

 

From: Mohamed Elhindi
Sent: ‎November‎ ‎15‎, ‎2012 ‎9‎:‎04‎ ‎AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

Hello

We have the same issue . We love to learn what other are doing

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Miller
Sent: Thursday, November 15, 2012 8:22 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Macs and AD

 

We struggle with Macs on our AD domain as well, so I would be very interested in responses to this question.

Thanks!

Brian


Brian Miller
V.P. Information Technology Services & CIO
Davenport University

6191 Kraft Ave. SE / Broadmoor Suite 270

Grand Rapids, MI 49512
p. 616.732.1195 | c. 616-821-2618
brian.miller@davenport.edu

 

Follow us on Twitter: https://twitter.com/DavenportU

Rate my Customer Service: http://great.davenport.edu/

 

We are fairly new to this, having spent the last several years concentrating on our much larger installed base of Windows. In the few months we have begun joining Macs (Lion and forward) to our AD using native tools. For management, policy, patching, inventory, etc., we are prepping to use the Casper tools from JAMF and will start this roll-out in December.

 

Drew

 

--------------

Drew Davis

Director,  IT-Computing Support

James Madison University

540-568-6625

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.