Windows Group Policies

[britespaak]

Hi. I'm wanting to set up my Mac OS X Server to allow network authentication from windows clients, but I also want the users to have policies to restrict what they can do (like the workgroup manager for mac os x clients). I know that in Windows server 2003 you can set the group policy settings somewhere, but is it possible on a Mac OS X Server?

Thanks

[Go3iverson]

If you are looking to set Windows group policy, you won't be doing that through Open Directory. Just like Mac OS X clients won't get group policy specified in Active Directory (barring password policy, extended schema mods or items like Centrify), Windows clients won't get group policy designed for Mac OS X clients.

You can provide NT Domain login type support from OS X Server out of the box.

Michael

[britespaak]

Oh. What would be the best way of setting something like this up then? I can use a windows server if required, but I would still like all the files and account information hosted on the Mac OS X server.

Thanks

[Go3iverson]

Depends on where you want the user accounts to reside. You can create accounts in Active Directory and implement an Open Directory to only provide managed preferences. Alternatively, you could put all of it Open Directory. Either way you can put the files on Mac OS X.

I think I'd need a bit more information of your goals and setup to make a strong suggestion, but I see a lot of people using AD for their users and passwords, with OD supplementing it.

Michael

[britespaak]

Okay, here's my situation. I am at a school that currently runs on a mac os x 10.4.9 server. We have both pcs and macs as clients. Currently, the network is a mess, with no central management at all, so we are wanting all the computers connected to the server, with user permissions and login information coming from the server. We currently don't have a Windows server installed on the network, but have a licence for Windows server 2000. The reason I want all the users and passwords on the Mac OS X server is because we have an Xserve for the Mac OS X server, and the windows server would be a standard computer. If the windows server fell over, then all the mac users could continue to log in.

Thanks

[Satcomer]

Deleted: wrong forum.

[Go3iverson]

Good info!

Well, to start, you never want to deploy a critical service on hardware you are suspect of. If the service you need is mission critical, it should be on hardware you can rely upon and trust.

How many Windows clients are you looking to support? Tiger Server can provide domain login for Windows clients in as a PDC and provide NT style domain support. Note, Tiger cannot be an AD controller or a PDC/BDC as part of a Windows installation.

Of course, Open Directory will be able to provide login support to your Mac OS X clients, in addition to managed client settings. You could also look at something like pGINA on your Windows clients to allow them to directly talk to the Open Directory as an LDAP client, as opposed to using the built in PDC.

You do have lots of options, but if you want to provide platform specific management, you may want to look at using an AD-OD installation, if you feel you can maintain the AD itself. The OD option has the key perks of better hardware and a newer software platform.

From what you have seen in your own environment, how do you feel you should proceed? There are always lots of variable that you'll see daily that anyone on here won't, so your inclination may be correct.

Michael

[britespaak]

Probably getting more into the windows section here, but is it possible to point all the windows clients to a windows server, and the windows server authenticates against the mac os x server, while still providing it's own group policy information?

Thanks