Solved

Mac users to be abke to login on to windows domain using username and passwords

Posted on 2007-03-19
11
323 Views
Last Modified: 2013-11-24
We have windows 2000 network running active directory.
We recently purchased three mac book pro with Mac OSX 10.4.
I have managed to bind the laptops to active directory and users are able to browse and access the network shares.
However, i want to macs to be windows client where the user like in windows has to enter thier user name and password to logon onto the domain, activate logon scripts per the user policy etc.

At the momemt users logon to the macs using a local username and then can browse the network and then connect to the network share.

How do i configure the Mac to be windows client so that the user only needs to enter their login credentials once.

Nazmul
0
Comment
Question by:X-quisite
  • 6
  • 4
11 Comments
 
LVL 14

Expert Comment

by:Erik Pitti
ID: 18753517
Make sure that "/Active Directory/All Domains" appears in the Authentication tab of the Directory Access tool (/Applications/Utilitites/Directory Access).  Also verify that the Search under Authentication is set to Custom Path, and not local directory.  

If Search is already set to Custom Path, click Add... and select "/Active Directory/All Domains" from the list.  If you don't see "/Active Directory/All Domains" listed at all, verify that it has been configured under Services in Directory Access and that it is enabled (checked).
0
 
LVL 14

Expert Comment

by:Erik Pitti
ID: 18753526
Once the above has been done, you should be able to login using an active directory account at the login window.  

There are no login scripts or group policy for MacOS with active directory.  There are options that would accomplish this but that requires an Open Directory server running on MacOS X server, or 3rd party products from Vintela (now Quest).  As far as I know, when mounting a server volume, even when logged in as an active directory user, you still have to enter your user name and password to mount the share. I know I have to.
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 18754085
http://docs.info.apple.com/article.html?artnum=151444
I would agree with the above post that no Gp or login scripts would work
0
 

Author Comment

by:X-quisite
ID: 18756924
I have follwed the instructions as specified above.
However, when I enter an active directory user account and password, it does not accept it

Any ideas why this could be?

Nazmul Islam
0
 
LVL 14

Expert Comment

by:Erik Pitti
ID: 18760508
Try selecting the "Prefer this domain server" in the advanced options and entering the ip address of your PDC emulator.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:X-quisite
ID: 18768425
I have put the ip address of the PDC in the prefer this domain server and still am not able to login.

Can you confirm that you have logged onto to a mac using an active directory user.
0
 
LVL 14

Expert Comment

by:Erik Pitti
ID: 18775404
If you enable "Fast User Switching" (System Preferences --> Accounts --> Login Options) you will see your Active Directory user account's display name in  the top-right corner of the screen, next to the spotlight (magnifying glass) icon.

Are you sure that you have performed ALL of the necessary steps in the Apple technical article that kprad posted?

Can you see computer accounts in AD for the Macintoshes?  

If so, did you move the computer accounts in AD from the Computers container after creating them?  If so, unbind and re-bind the Macs to AD and DO NOT move the computer accounts from the Computers container.
0
 

Author Comment

by:X-quisite
ID: 18780921
I have unbinded from the domain and rebinded as follows:

1)      Logged in to the mac using my local username and password
2)      Opened Directory Access
3)      Selected active directory and then configure
a.      Active diretcory forest = automatic (not able to edit)
b.      Active directory domain = office.local
c.      Computer ID = MBP1
d.      Under Advanced Options
i.      User experience
1.      Create mobile login account at login (not checked)
2.      Force local home directory on startup disk (not checked)
3.      Use UNC path from active directory to derive network home location (Not Checked)
4.      Default User Shell /bin/bash (Checked)
ii.      Mappings
1.      MAP UID to attribute, (Checked)
2.      Map User GID to attribute (Checked)
3.      Map Group to attribute (Checked)
iii.      Administrative
1.      Prefer this domain server (checked) (IP address of PDC)
2.      Allow administration by (Checked) also added my active directory user account
3.      Allow authentication from any domain in the forest (Checked)
4)      System preferences
i.      User Accounts
1.      Display Login window as (name and password)
2.      Show the restart, sleep and shut down
3.      All other options are unchecked

After binding using the administrator login and password I restart the MAC.

I enter my active directory user name and password, this does not work.
I then login with my local user account.
I am able browse the domain and connect to network shares.

What step have I missed?

Thanks
0
 
LVL 14

Accepted Solution

by:
Erik Pitti earned 500 total points
ID: 18784107
Unless you have extended the AD schema to add uniqueID and GID attributes, you should leave the following items un-checked

1.      MAP UID to attribute, (Checked)
2.      Map User GID to attribute (Checked)

0
 

Author Comment

by:X-quisite
ID: 18785035
chakote,

by uncheck the above i have been able to get pass the login screen using an active directory account.
However, the appears to have crashed as the desktop is blank, i had to force shut down by pressing the power button.

In the active directory plug-in settings screen and under advanced i have the following options:

1) Create a mobile account at login
          Require confirmation before creating a mobile account
What is the purpose of this and do i need it?

2) Force local home directory on startup disk
What does this do? I assume that it saves the users folder on the local mac similar to windows where a roaming profile has not been setup. is this correct?

3) Use UNC path from active directory to derive network home location
Is this to define the users roaming profile folder on the network?


0
 
LVL 14

Expert Comment

by:Erik Pitti
ID: 18797685
1.) Creating a mobile account will enable you to login with "cached credentials" as your AD user when you are away from the AD network.  This may also keep a cached copy of your ad "home directory"

2.) This will place the home folder on the startup disk, whether or not a home folder has been defined on the properties of the AD account (Active Directory Users and Computers, User account properteis, Account tab).

3.) Yes.  Note that the mac does not look at the roaming profile location on the AD account, but the "home directory/folder" property of the AD account
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

The error "There was an error performing the update" occurred on a Mac OS X client workstation running  Symantec AntiVirus for Mac (http://www.symantec.com/business/products/purchasing.jsp?pcid=pcat_security&pvid=825_1) - the Enterprise product vers…
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now