Add users to AD for authentication, but not for computer access
Posted on 2006-04-07
I am in a network setting where we use Win 2k3 Sevrer w/ AD for the faculty and staff of our school. The students are authenticated by an Open Directory Mac OS X server. This is not a problem for us as the OS X server can host a STUDENT Doamin for our student windows clients. However, there are times whne I want to use other products' LDAP features for authentication - often these products work better, or only, with AD. (I like having the two networks segregated for seurity purposes.) Thus there are times when it would be nice to have users in the AD who could not login to computers on the network. That way, if my Content Filter, Print server, etc. was using LDAP for authentication from teh Win 2k3 AD sevrer the names and passwords would be there for authentication. Is ths possible? I liken this to creating distribution groups as opposed to security groups in AD. (We need the Open Directory Mac OSX server to stay for purposes of management of the Apple workstations. It is possible to have Open Directory look at AD for authentication while maintaining apple client management but this adds several layers of complexity and generally teh addition of an expensive product - we do not want to do this)
Any help with this is appreciated.