Active Directory Account Access Issues

B

Bumpie

Registered
Hi all,

First I would like to say you guys rock. I've solved many problems by reading his forum.

My problem is this...

I have bound my Mac (OS10.3.8) to our company's AD with no problem and I am able to authenticate fine. But I still have these questions...

1) How can you restrict which AD accounts can logon to the computer?
2) How can you restrict or enhance AD account privleges (like for local accounts)?
3) I tried setting our AD Global Group in the Allow administration by... box but when I log on with an account in the group it doesn't recognize it as having admin privleges.

Would appeciate any help.

Thanks
Bump
 
I think some of the functionality you want would be accomplished by deploying an Open Directory to supplement your Active Directory. I do not recommend modifying your AD schema.

Try leaving the Allow Administrato Box as the default. It does a good job of populating itself with administrative groups from AD.
 
Thanks

Never heard of Open Directory. I'll look into it.

Only problem is we don't want the groups that AD populates the box with to be admin. We have a seperate group that needs to have this privledge.
 
Ah ok, that's different then. Then you should be specifying an admin group in the AD plugin. :)

Open Directory is Apple's LDAP & Kerberos implementation, much like Active Directory. OS X clients can work with multiple directory services at the same time, such as to get user account info from Active Directory and OS X specific attributes, that AD doesn't have by default, from an Open Directory. You *could* modify your AD schema to support the OS X specific attributes, but I do not suggest that as the modifications 'change' over time and I always feel that you'll have much more flexability working with Open Directory anyway.

I've set up and helped set up Open Directory servers in AD environments many times, so if you have any questions, feel free to ask, or email. I also have a link to my webpage in my sig, for more contact info, if you'd like.

There's a lot of cool stuff you can do, when you supplement your AD with an OD. Just try and keep all the two-letter abbreviations straight! :)
 
You must log in or register to reply here.
Back
Top