There was a bug in Mac OS X 10.5 “Leopard” that prevented proper application of MCX settings to an Active Directory group nested inside an Open Directory group. This problem has been corrected in 10.6 “Snow Leopard,” but it’s important to note that this is a client-side issue as well that requires you to upgrade all machines to Snow Leopard in order to have the settings properly apply.
The problem evidences itself in the following way: under Apple’s Magic Triangle guidelines, the proper method for access management on the desktop is to “nest” AD users and groups within OD groups, and then to apply settings to those OD groups. This allows for user management of AD users on any Macs they log into, while avoiding the risk of extending the AD schema itself. For the most part, this worked correctly in Leopard, except on AD groups nested in OD groups when applied to Computer groups within the OD. For example, placing a user AD\joeuser into an OD group called banned_users and then denying the banned_users group login access to the LabComputers OD group would block Joe from logging in, but adding AD\alumni into the same OD group would not prevent login access.
Thankfully, this nesting behavior now works correctly in 10.6. As long as you upgrade your clients as well, you should be able to manage Computer settings just like you’d expect.
Apple’s latest offering, OS 10.5 “Leopard” offers GUI-based integration and account management for Microsoft Active Directory that is fairly full-featured and complete. However, as tends to be the case when it comes to enterprise-level account management, Apple dropped the ball and forgot to include a very important feature: the ability to promote a domain user to local administrative status without them having to log in. You can add groups through the Directory Utility GUI, but not individual users. Why would this be important? Well, at least for me, it’s because a lot of the users I support aren’t there when I’m setting up their computer, but they’ll need to administer it down the road. Getting their password in advance is a huge security no-no in an environment where pretty much everyone has sensitive data on their machine, so how can you give a user local admin privileges before their home folder is even created? Terminal, obviously.
- Launch Terminal from Applications->Utilities->Terminal.
- Type the following command, substituting the name of your domain user in the appropriate field, surrounded by quotation marks:
sudo dscl . -append /Groups/admin GroupMembership "new_user"
You’ll be prompted for your password, then you should see the command prompt again. If you’re not sure whether or not it worked, try promoting a domain account for which you have the password the same way and logging in. Go into System Preferences and try to unlock something. If your name appears in the username field, you’re an admin!