Macs in an AD environment

[stealthn]

Hi,

We have a customer that wants to know how to manage Macs in their Win 2008 R2 environment, not just for shares and logins but from a policy and GPO way. I know of a couple of tools for this but have never tested them.
I wanted to findout if anyone here has experience with any tools to be able to manage fully integrated Macs in a Windows domain, pros, cons, gotyahs, etc.

I am leaning toward Quest but need some real world experiences.

Thanks in advance,

Bob James

[RedBaron]

Bump! Very interested in this as well.

[Scott R]

We use Quest, (QAS Quest Authentication Service) on our unix servers and our linux laptops etc. It works fine, it's not the best thing in the world but it's functional. The real hangup we had was procedure. Each and every user and group in AD needs to be "unix enabled" so existing groups needs to be enabled and new users and groups need to be built "enabled."

Something like this is a huge issue for us since we have have so many employees and different help desks around the world. But, we got there. We are getting rave reviews from our AIX and SUN folks that now just have to add a single group to their users.allow file rather than an entire list of users like we did before.

We have only had a few issues to date, one was AD groups with "spaces" in them, this didn't work at all early on, then they patched it it and it got "better" but we can still throw the odd group name with multiple "spaces" and kill the authentication on the server. Another patch is slated to come out soon to address some more of this.

Now, if you're still not bored reading the AD policy objects and GPO must be tailored entirely to the unix machines, you won't be using your existing policies to push to unix systems. I suppose thats a given since the operating system objects are entirely different. But the good news is, it does work! You just need a working policy for the flavor of unix that you're securing.

My AD admins balked at first, of course they bleed Microsoft, but they are coming around.

[stealthn]

Thanks Scott, that's the product I was looking at. I'm surprised it's not more AD integrated, seems more like a product to work in Parallel. What was the total time and effort it took you to totally integrate the system?

Bob James

[Vipergrün]

The company I work for has an AD bridge product for Mac (and all "ix" flavors). We purchased Likewise, the product is now called PowerBroker Identity Services. We can manage a lot of settings via GP, including syslog, DNS, files, directories, permissions, etc. The users can authenticate with their AD identity and password or their mac/unix username. We can map the UID too so ownership of files does not need to change. Let me know and I'll hook you up. I do pre/post sales, training, PS, etc. and know the product pretty well. Install takes about two minutes on the client and a management console and a couple of things on the AD side. We will use the existing RFC2307 schema attributes for unix. You can restrict login access via windows groups. You can restrict group policy to client platform type, OU, etc.

Cheers
-Brad

[stealthn]

Thanks Brad,

Yes I'm interested; I assume I will be doing a bakeoff for the client. You can contact me at info at snetworks.com

Bob James

[stealthn]

Update,

So after fighting with my Snow Leopard Air for two days trying to get AdmitMac to run I found out there is an issue with domains that end in .local (which most do internally). Turns out it's an Apple issue (reserved for Bonjour devices and multicast) and my options were downgrade or upgrade.
So I upgraded to Lion (10.7.4) which is suppose to have the fix in it.

Based on requirements I have limited my testing down to three products:
AdmitMac, Cetrify and PowerBroker.

I'm going camping for a few days but will start testing all over again when I'm back, and report my findings here (if anyone cares )

Bob James

[RedBaron]

Bump! What were your findings?

[stealthn]

It depends, the customer wanted easy to use AD controls (GPO) without extending the schema. In this case it was only for a few devices, in this case AdmitMac was the best choice. You give up some controls but this met their requirements. If you need to manage a lot of Macs and want more granular controls over apps and what is and isn't allowed and willing to put in the work up front, my choice would be Centrify.

I hope this helps.