There was a bug in Mac OS X 10.5 “Leopard” that prevented proper application of MCX settings to an Active Directory group nested inside an Open Directory group. This problem has been corrected in 10.6 “Snow Leopard,” but it’s important to note that this is a client-side issue as well that requires you to upgrade all machines to Snow Leopard in order to have the settings properly apply.
The problem evidences itself in the following way: under Apple’s Magic Triangle guidelines, the proper method for access management on the desktop is to “nest” AD users and groups within OD groups, and then to apply settings to those OD groups. This allows for user management of AD users on any Macs they log into, while avoiding the risk of extending the AD schema itself. For the most part, this worked correctly in Leopard, except on AD groups nested in OD groups when applied to Computer groups within the OD. For example, placing a user AD\joeuser into an OD group called banned_users and then denying the banned_users group login access to the LabComputers OD group would block Joe from logging in, but adding AD\alumni into the same OD group would not prevent login access.
Thankfully, this nesting behavior now works correctly in 10.6. As long as you upgrade your clients as well, you should be able to manage Computer settings just like you’d expect.
Ok, so you thought it would be a good idea to secure your Mac using a firmware password, and then you forgot it. Or, alternatively, you left your machine logged in and an enterprising and mischievous co-worker set a password while you were away. In either scenario, you’re confronted with the same problem: you can’t do anything but boot normally unless you enter the password to unlock the firmware.
If you’re running Leopard, the latest release of OS X from Apple, the solution is actually quite easy. As with most Apple stuff, the firmware password seems really secure, but it’s not, since Apple has nicely built in a backdoor. Here’s what you’ll need: your computer, a Leopard install disk or original system disk, and an administrative account on the Mac you’re unlocking. Got it? Ok, let’s get started:
- Boot normally into Mac OS X. You should be able to do this, because you’re not changing any boot options.
- Insert the OS X Leopard DVD into your computer. The popup will appear asking to install OS X. Just ignore or close it.
- Open Terminal by going to Applications -> Utilities -> Terminal or typing ‘Terminal’ into Spotlight.
- Enter the following:
open /Volumes/Mac\ OS\ X\ Install\ DVD/Applications
- In the Finder window that opens, choose Utilities and then Firmware Password Utility. Uncheck the box to set the firmware password and hit Change. Your password is now reset to blank, and you won’t be prompted to enter one when changing boot options.
Apple’s latest offering, OS 10.5 “Leopard” offers GUI-based integration and account management for Microsoft Active Directory that is fairly full-featured and complete. However, as tends to be the case when it comes to enterprise-level account management, Apple dropped the ball and forgot to include a very important feature: the ability to promote a domain user to local administrative status without them having to log in. You can add groups through the Directory Utility GUI, but not individual users. Why would this be important? Well, at least for me, it’s because a lot of the users I support aren’t there when I’m setting up their computer, but they’ll need to administer it down the road. Getting their password in advance is a huge security no-no in an environment where pretty much everyone has sensitive data on their machine, so how can you give a user local admin privileges before their home folder is even created? Terminal, obviously.
- Launch Terminal from Applications->Utilities->Terminal.
- Type the following command, substituting the name of your domain user in the appropriate field, surrounded by quotation marks:
sudo dscl . -append /Groups/admin GroupMembership "new_user"
You’ll be prompted for your password, then you should see the command prompt again. If you’re not sure whether or not it worked, try promoting a domain account for which you have the password the same way and logging in. Go into System Preferences and try to unlock something. If your name appears in the username field, you’re an admin!