AD HelpDesk is a tool that can be used to manage certain aspects of Active Directory user accounts. Using AD HelpDesk, you can configure an iOS based device to connect to Active Directory using an administrative account (or an account that has been delegated administrative access). Using the tool, you can then find a user. Using the user pane, you can unlock accounts, reset their passwords, force the resetting of the password on the next authentication event and optionally send a user their new password via SMS (a really cool little feature, IMO). There are a lot of useful ways to fit this tool into your service desk or network…
-
-
New GUI Directory Services Debug Tool
DSDebug is a small, quick little tool that just puts a server into Directory Services debug mode, waits for a specified amount of time and then drops a file on your desktop with the logs, placing the server back into a non-Directory Services debug mode. That’s all. It’s mostly designed to send to an Open Directory server’s administrator, tell them to double-click on it and not have to step anyone through typing much. It waits mostly so you can know how long it’s going to wait… Nice, small and compact. In the future I will likely build in a pattern matcher with some known, common errors, color coding, etc (or…
-
AD: Time Is The Enemy
One thing that Apple seems to have down pat in their documentation and troubleshooting methodologies in courseware is that if you have a problem with Kerberos clients, one of the first things to check is that the clock is at less than a 5 minute skew. However, I don’t really remember seeing this come up in any of my Active Directory certification exams (or the books for that matter). Therefore, it was no surprise that when a Windows client couldn’t authenticate to an Active Directory environment that no one thought to check the clock skew… But it’s worth keeping in mind that you should as it is occasionally the fix…
-
Likewise Open 5.3 Supports Snow Leopard
Likewise 5.3 supports Snow Leopard at 32 or 64 bit! Likewise Open 5.3 is open source software that can be used to bind Mac OS X, Linux & Unix to Active Directory. Likewise Enterprise (which is not open source) starts with the Open client but allows leveraging Workgroup Manager or Active Directory Users & Computers to manage policies. If you haven’t already, check it out at www.likewise.com.
-
Snow Leopard + SkyHook = Kerb Problems?
In the Date and Time System Preference pane there is now an option to enable “Set time zone automatically using current location”. Assuming you have a Mac OS X computer with Wi-Fi and you use this option (which is not enabled by default) then your portable looks up your location automatically using the wireless access points surrounding you, which can then be looked up against the Skyhook database API and then changes your time zone based on your physical location. However, if your system looks back to the IP address of the KDC and sees a time offset that is greater than 5 minutes a few people have asked me…
-
Directory Utility in Snow Leopard
In Leopard, the Kerberos application got mad because the other utilities were making fun of him. So he went and hid in /System/Library/CoreServices and became an application that was summoned by other applications (ie – Keychain Utility) when they couldn’t do their own work and needed him. Directory Utility saw this and decided it looked like a pretty darn appealing way to go. So Directory Utility has now moved into /System/Library/CoreServices. Not that you will always need to use her. You see, if you open the Accounts System Preference pane and click on Login Options you’ll see Network Account Server. Here you can click on Join. With more space in…
-
List Shares in Windows w/ PowerShell
It is not uncommon to end up with a number of shares on a server, be it Windows, Mac OS X or Linux. With all of this sprawl it can be useful to see the shares in a quick and concise manner. using the Win32_Share WMI class through PowerShell you can do just that from the command line, similar to the sharing command in Mac OS X Server. The command, from PowerShell would be something similar to the following: get-WmiObject -class Win32_Share Assuming communication is working as intended, you can also query for the shares of other systems, by adding a -computer switch and specifying the host you’re listing shares…
-
Mac OS X Directory Services Plug-ins
In a number of contexts, we hear about directory services plug-ins. A directory services plug-in is a way for a Mac OS X computer to leverage the DirectoryServices daemon to obtain account information (be it authentication or policy information) from a server. This might be an Active Directory server that uses the Active Directory Plug-in or an Open Directory server that uses LDAP. You disable plug-ins that you don’t need and enable plug-ins (ie Active Directory plug-in or third party plug-ins) that you need in order to access directory services of various types. These plug-ins are developed in the form of .dsplug files. The default plug-ins that Apple includes with…
-
Mac AD Password Expiration Monitor
Password Monitor is a somewhat new look on a tool that has been in production in a number of environments for awhile. According to the site: Password Monitor is a simple utility that will count down the days until a user’s Active Directory password is due to expire. An OS X 10.5 (or newer) system properly bound to an Active Directory is the only requirement. Additional features include the ability to display the exact expiration date on the logon window (admin rights required) and to automatically launch the utility at startup. The number of days between required password changes has to be manually set in the preferences. The range has…
-
Integrating Google Apps with Open Directory
Randy Saeks has posted a paper on integrating Open Directory with Google Apps. It’s a nice read and takes a lot of the guessing game out of getting Google Apps to authenticate users based on Open Directory. Many of the steps can also be leveraged to use the GoogleAppsToolkit for LDAP running on other platforms as well.