The default behavior of a Windows Server NT4 through 2008 based domain is to allow a Domain Admin account to manage Windows clients. A number of environments have been moving over to using the PDC emulator on Mac OS X as a means of replacing aging Windows servers. One of the biggest annoyances is that the Open Directory administrative accounts they use to bind the Windows computers to are not local administrators. When you bind Mac OS X to Active Directory you can specify which Active Directory groups are administrators of Mac OS X client systems so you would imagine you can do the same thing on an OS X…
-
-
Mac OS X Server: Cached Logon and Windows PDC Clients
When using Mac OS X Server as a PDC you may find that you need to tell a Windows system to cache login (aka logon) information for longer than the Windows system allows by default. In an Active Directory environment it is fairly straight forward to deploy this type of setting through a GPO; however, the policy settings for an NT4 style PDC environment (aka – via SMB) won’t necessarily allow you to perform this task. To do so you might need to fire up the registry (or script an event in the login script to do so) and edit the following key with a Value (in terms of login…
-
Mac OS X Server: Disable Roaming Profiles Globally
To disable roaming profiles you can just edit the smb.conf, adding a blank path to the logon path setting disables roaming profiles. So just add this line to your global /etc/smb.conf settings: logon path =
-
Mac OS X Server: Setting up Admin Users of Windows XP through Open Directory PDC
If you want the “admin” group to map to the NT “Directory Admins” group, the best way is to use dscl(1) to set the SMBSID or SMBRID attributes on the “admin” group record to 500. If there is no SMBRID attribute then open the appropriate group, enable inspector and create an attribute called SMBRID. You can give it a value that corresponds to the table below: http://www.afp548.com/article.php?story=200608252114039&query=PDC%2Bgroups PS – Thanks Joel!