Managing AD Users with 10.4 Server / OD / Workgroup Manager


UPDATE--Mystery Solved: What I learned over at is that you cannot simply add an AD group to an OD group. Workgroup Manager will let you, but it will do nothing. Once I tried adding individual AD users to my OD group, it worked perfectly! Apparently, there is reason to believe that a future update will allow adding AD groups to OD groups...that will be cool. For now, I am going to have to take the suggestion of applying my managed preferences at the computer level instead of the user level. Good enough for now, but that update will be welcomed.

I have both AD users and OD users logging into to 10.4.2 clients. The clients are bound to my win2000 AD server using the AD plugin, and also connected to the OD server via LDAP. When the OD users log in, they get custom preferences that I've assigned them in Workgroup Manager (like dock, app, finder prefs). Now, I'm trying to figure out how to do the same for the AD users...I want to assign the AD users "Mac-specific" prefs using Workgroup Manager. Is this possible?

Here is the situation... The AD user logs in and is authenticated directly to the AD server. He is then assigned a local home directory on the client (which I want), BUT he is assigned preferences based on the local default user account on the client. I want those prefs to come from the Workgroup Manager on my OSX server (10.4.2), just like with my OD users.

Here is what I have done... Like the clients, the OSX server is bound to AD (in addition to being an OD Master). So when I go into Workgroup Manager I can see both my OD and my AD. I created a group in OD called "Managed AD Users". I then added the AD group called "<MyDomain>\users" to this new OD group...thinking that it would then make ALL of my AD users members of this OD group. I then assigned the new OD group certain preferences (dock, app, finder, etc.). However, as I said, these prefs are not being assigned when the AD users log into the clients. To test that the OD group prefs are working at all, I also added an OD user into the new group. When I log in as that OD user, I do in fact get assigned the prefs that I want the AD users to get.

Would I be correct in assuming that this isn't working because the AD users are authenticating from the client directly to the AD server? If the OD server isn't involved in the transaction, then how would it know to assign these preferences? In order for this to work, do I need to somehow have the AD users authenticate to the OD server, and have the OD server perform some sort of "pass-through" authentication to the AD server for them? (And in the process, assign them the prefs I've specified in Workgroup Manager) Hopefully someone knows what I'm rambling about here... :D

If anyone has done this or knows anything of this, I would be very grateful for some helpful info. Thanks in advance!



hey, yeah im having the same problem. its a real pain in the butt.

most of our students use PC's and wer always adding users to the AD but if we forget to then go and add them to OD on the mac then they log in and dont get managed prefs etc.

would be great to just add the AD group into OD. infact we nearly brought the 10.4 upgrade for a client just to do this. will have to hold off untill apple bring out a update for this.