Mac os login using a domain account. How we had to learn how to manage Macs on a corporate network. Login with a domain account on your Mac

You share the directory by creating a binding between the client and the Open Directory domain on Lion Server. Binding creates a connection between the server and the client, allowing the client to read the LDAP database, send authentication requests, and interact with the Kerberos realm for service tickets.

Regarding authentication, you most often see this interaction from the Mac OS X login window, and much of this interaction is transparent to the user.

Any version newer than Mac OS X 10.2 can bind to the Open Directory running on Lion Server. Your Mac OS X 10.7 client systems should not be locked to versions of Mac OS X Server earlier than 10.7 to best support the latest Mac OS X enhancements.

Bind Mac OS X 10. 6 clients

Select the Apple menu and choose System Preferences, then click the Users and Groups icon in Mac OS X 10.7 (or Accounts in Mac OS X 10.6).

Bind Mac OS X 10.5 and earlier clients

In previous versions of Mac OS X, you used the Directory Utility, installed in the Utilities folder in your Applications folder, to bind to a network directory. To link a Mac OS X 10.5.8 or earlier client, open the Directory Utility and do the following actions:

Click the lock icon and enter your administrator name and password.

Click the Add (+) button and select Open Catalog from the pop-up menu.

Select Active Directory to bind to the Active Directory domain.

Enter the full hostname or IP address of the server hosting the domain and click OK.

To begin with, I will tell you a short story and if it is familiar to you, then this article is for you. One fine morning you came to work and your boss called you and told you that he had purchased a new laptop that urgently needed to be connected to the network and all network resources. You came to him and realized that the boss would buy a Mac. He wants you to enter his new laptop into the domain to access all network resources without authorization. Or maybe the story is a little different. Your organization has decided to expand and has a new graphic design and marketing department, and all employees in this department will use Macs.

What to do in such a situation? Don't worry, you can join a Mac to a Windows domain and today I will show you how to do it. In this article we will connect Snow Leopard to a Windows Server 2008 domain.

Network and account setup on Mac

A Windows domain is completely dependent on the correct DNS settings, so the first thing you need to do is set the correct DNS server address, which in my case is also the domain controller. To do this, run System Preferences and press Network to open network settings.

By default, your network adapter receives settings via DHCP. Depending on your network settings, you can set the settings manually by selecting the option Manually.

My domain controller has an IP address of 192.168.1.172, so I specify this value in the DNS Server section.

Go back to System Preferences and select Accounts

Click on the lock below to make changes. Then click the button Join next to Network Account Server

Now click the button Open Directory Utility

While in Directory Utility Click the lock at the bottom again, highlight the Active Directory line and click the pencil icon to start editing.

In this section you need to enter information about the domain and computer ID. In this example, my domain name is hq.test.us and computer ID Mac. The computer ID is the name of the Mac computer's account in the Windows domain.

Click the arrow to display more options. This will give you 3 additional configuration options. To simplify things, I leave everything as default except the section Administrative. Click on the button Administrative and enter the IP address or fully qualified domain name of the domain controller in the section Prefer this domain server. Also here you can specify which domain groups will have administrator rights on Mac.

Now click the button Bind and enter the details of a domain user who has the right to enter computers into the domain, then click OK.

You will see the progress of entering the domain, consisting of 5 steps.

As a result, the computer is entered into the domain and the button Bind will be renamed to Unbind.

Click OK and then Apply in the Directory Utility window. Close Directory Utility. You should be returned to the Accounts window. Notice the green dot and domain name in the Network account server.

Login with a domain account on your Mac

Currently, you can already sign in to your Mac using Windows domain accounts. In the account selection window, select Other.

Now enter your domain account details.

Let's try to connect the network share. From Finder click Go and then Connect to Server. To use SMB, use the following syntax: smb://servername/share and then press Connect.

Please note that you do not need to enter login information on the server.

That's all, it wasn't very difficult, was it?

Useful information

On the eve of the wedding of my close relative, our family also began preparations. We had the difficult task of choosing a toastmaster. We celebrated our wedding in a close circle of relatives outside the city, so we did without it. Good friends recommended Svetlana Svetlaya to us, who held their wedding very beautifully and cheerfully. For anyone interested, I am leaving a link to her website -

Jesus Vigo takes a look at how to setup and configure Apple hardware running a modern version of OS X and get it communicating with a Windows Active Directory environment.

Market share in the enterprise is largely dominated by Microsoft - specifically, the reliance on the Windows Server family line to manage network resources, align desktops with corporate security policies, and maintain the flow of production among all the employees at a given organization. The process of administering all these systems - desktops and servers alike - are relatively straight-forward in a homogeneous environment, but what happens when OS X is introduced to the enterprise in the form of a sleek, shiny new MacBook Air or iMac?

Apple hasn’t made great inroads in this segment. However, comparing its paltry 7% market share in the desktop market to its almost 93% in the mobile device market, there"s only a matter of time before more companies begin to choose Apple products for its mobile and desktop computing duties in lieu of the generic, stalwart PCs they've been cycling in and out every three to five years. So, I ask you again, what do you do when your organization decides to upgrade to iMacs? How do you manage those nodes in addition to the existing one? Windows domain that"s already established?

Integrating Macs will initially be easier than you think! Even with little to no prior OS X knowledge, Macs will bind* to the domain with relative ease, since directory services - the underlying “file structure” of the network resources - are standards-based and operate more or less about the same across operating systems.

Note*: Binding is the term associated with joining OS X to a domain. It’s virtually identical to joining a Windows PC to a domain, complete with checking domain credentials to verify the end user has the necessary rights to add the computer to the domain.

Minimum requirements:

• Server hardware running Windows Server 2000-2012 Standard
• Active Directory Domain Services (ADDS) setup and configured
• Domain Administrator-level account
• Apple desktop or laptop running OS X 10.5+
• Switched network

I. Bind OS X to a Windows domain (10.5-10.9)

Follow these steps to bind OS X to a Windows domain:

Note**: By default, Windows will automatically create the computer object account in ADDS if one does not already exist. However, domain or enterprise admins may (and often do) restrict this as a security feature to curb random nodes from being joined to the domain. Additionally, Organizational Units (OU) may be created as a form to compartmentalize ADDS objects by one or more classifications or departments. Many enterprises will utilize OUs as a means to organize objects and accounts separately from the items created by default when a domain controller is promoted and ADDS is created.

II. Modify Directory Services settings

Your next steps will be to modify the Directory Services settings. Here's how:

1. To ensure the highest level of compatibility between OS X and the network resources on the Windows network, certain changes must be made to the Active Directory service with the Directory Utility - so, go to System Preferences | Users & Groups, and click Login Options
2. Click the Edit… button next to Network Account Server, then click Open Directory Utility… ()
   
   
3. The Directory Utility lists various services associated with network account directories (), and it allows you to modify settings as needed
   
   
4. Double-click Active Directory to edit its configuration()
   
   
5. Click on the arrow to unhide the Advanced Options, select User Experience, and check the following boxes:
   a. Check Force local home directory on startup disk (), which will force the creation of a profile on the local HDD for all users that logon to the node (if you plan to serve profiles remotely from a server, leave this setting unchecked)
   
   b. Check Use UNC path from Active Directory to derive network home location (), and select the network protocol to be used: smb: (Note: This setting will switch the default protocol for network resource paths from Apple's afp: to the Windows" friendly smb : - also known as Common Internet File System, or CIFS).
   
   
6. Next, select Mappings(), which pertains to specifying unique GUIDs for certain attributes used within ADDS to identify a computer object account. OS X will generate these at random by default when bound to the domain; however, you may wish to use a particular set as generated by your enterprise admin.
   
   
7. Finally, select Administrative(), and configure the following three optional settings based on the ADDS schema setup of the organization:
   
   a. Checking Prefer this domain server will perform two-way communication to/from the domain controller of your choosing
   b. Checking Allow administration by will allow nodes to be managed by the administrator(s) who"s responsible for overseeing systems, based on security group membership or user account(s)
   c. Checking Allow authentication from any domain in the forest may or may not be necessary to ensure that the OS X computers authenticate to the proper domain, as configured by the domain/enterprise admin.

There you have it - a basic look at how to setup and configure Apple hardware running a modern version of OS X and get it communicating with a Windows Active Directory environment. I also threw in a few extra tips to help make a smooth transition and minimize errors.

One additional tip (and common best practice) is to host an Open Directory domain along with the Active Directory service. Multiple directory services will add to the burden of managing two distinct operating systems, but you’ll be surprised to find out that it may actually make administration of these systems easier! This dual-directory environment will allow Windows PCs to be maintained and managed solely through the Active Directory side, while Open Directory - when setup with OS X Server - can be used to maintain and manage the Apple computers.

Giving the Apple hardware the second directory binding to ADDS will allow them to seamlessly communicate with the Windows desktops and share file and printer resources from Windows servers and nodes, and vice-versa. This eliminates the need for costly 3rd-party software plugins. The Macs will receive much of their management directly from the domain controller hosting the Active Directory service, but it must “translate” the processes into commands that OS X will understand. Even then, it does introduce another variable when troubleshooting. And let’s be honest, the newly released OS X Server 3.0, which is only $20 in the Mac App Store, is a full-fledged server OS that’s as simplified and easy to use as OS X.

If you are using a Mac on a network in a Windows environment, you can join the Mac to a domain by following these steps:

1Select Settings, then select Users & Groups.

The Users and Groups page appears.

2Select the user account you want to join the domain, then click Login Options.

The Login Options page appears.

3If the lock icon in the lower left corner of the page is locked, click it and enter your password when prompted.

By default, login settings are locked to prevent unauthorized changes. This step will unlock the settings so you can join the domain.

4Click the Join button.

You will be prompted to enter the name of the domain you want to join.

5Enter the name of the domain you want to join.

When you enter the domain name, the dialog box will expand to allow you to enter the domain credentials so that you can join the domain.

6Enter your domain administrator account name and password, then click OK.

You will be returned to the Login Options page, which shows that you have successfully joined the domain.

10/17/2011 Eric Rucks

If you want to serve Mac clients as well as Windows clients, you'll need a Mac-to-AD integration solution. I recently tried four products that do the job perfectly.

Until recently, using an Apple Macintosh computer in a Windows environment required a lot of effort to integrate software and change the Active Directory (AD) schema. However, in recent years the integration process has become much easier, and in fact the necessary mechanisms are provided by default. This change occurred not because Microsoft and Apple "smoked the peace pipe" and began working together, but as a result of both companies following RFC 2703 and LDAP standards. As a result, if you're running Windows Server 2003 R2 or later or Apple OS X Panther (version 10.3) or later and want to authenticate Mac clients to AD, you don't need any special software. It is enough to simply specify the path to the home folder, using the old “NT-style” format, in the properties of the user AD object so that the contents of the network drive appear on the desktop. If a mobile account is used (what Microsoft calls "cached credentials and profile"), users can sign in when not connected to a domain - again without any additional software. But if you want to serve Mac clients as well as Windows clients, you'll need a Mac-to-AD integration solution. I recently tried four products that do the job perfectly.

Three of them—Centrify's DirectControl, Likewise Software's Likewise Enterprise, and Quest Software's Authentication Services—integrate Macs, UNIX and Linux computers into the Windows world. The fourth product, Thursby's ADmitMac, integrates only Macs.

Product Testing

I tested each product in a separate Windows Server 2008 AD environment located on a VMware ESXi server. The DirectControl and Authentication Services packages were installed directly on the domain controller (DC). Following the recommendations in the accompanying documents, I installed Likewise Enterprise on a separate server. The ADmitMac system does not require installation of server software.

As a client system, I used a MacBook Pro laptop with the X Snow Leopard operating system (version 10.6.7). After installing and configuring each product, I tested their capabilities. The testing process included:

• software installation;
• adding a Mac client system to a domain;
• removing the Mac client system from the domain;
• domain authorization;
• user transfer;
• using the management console (if possible);
• changing settings using Group Policy Objects (GPOs);
• adding global groups to local groups;
• installing software on a Mac client system;
• using cached login credentials when not connected to a domain;
• Disable automatic logon and login messages using GPOs.

DirectControl

Centrify DirectControl
FOR:
AGAINST: The “zone” concept can be confusing and is unlikely to be useful to small companies.
GRADE: 4 out of 5.
PRICE: from $60 per workstation (discounts available for bulk purchases).
RECOMMENDATION: If your UNIX and Linux clients use different methods for authentication and you need to leave UNIX IDs and group IDs intact, the zone technology and attractive price may put this program at the top of your list.
CONTACT INFORMATION: Centrify, 408-542-7500, www.centrify.com

Installing the DirectControl package is not difficult. Simply double-click the CentrifyDC_Console-4.4.3-win32 file on your domain controller and follow the prompts. Installation does not require a database or other prerequisites, except for one: the option. NET Publisher evidence verification must be disabled. This is easy to do - the installation program will handle everything itself. It was much more difficult to find out what the option does. NET Publisher evidence verification. After much searching on the Internet, I finally reached out to the folks at Centrify for clarification. From what I've found, disabling publisher evidence verification simply speeds up the launch of console applications, allowing them to run without the lengthy verification process that can cause problems in isolated networks, such as research labs that don't have an Internet connection.

After the installation process is complete, launch the DirectControl console. The first time you run the program, the installation wizard will guide you through the process of setting up the default zone. Zones help you group UNIX, Linux, and Mac computers into collections and help you identify the collections you've created. By grouping client machines in this way, you can easily apply security policies or settings policies to them. Zones are stored in the AD directory in the domain.com/Program Data/Centrify/Zones container.

The installation wizard also helps you install the required licenses, which are stored in the domain.com/Program Data/Centrify/Licenses container. I've never seen any software I've reviewed that have its licenses stored in the AD directory. This is a unique solution.

The next step after installing the server part of the system is to install the client program on a Mac computer using the package corresponding to the operating system. For Mac OS X Snow Leopard, use the file CentrifyDC-4.4.3-mac10.6.dmg. Double-clicking this file opens a menu that includes a Prepare function, which is used to verify that the DirectControl and AD services are properly connected and ready for integration. When prompted, enter your domain name and within a few seconds, 20 tests will be performed. These tests check if there is enough disk space, if DNS is working correctly, if the site contains a domain controller, and more. In my case, the system failed the test that checks that the clocks of the domain controller and the client system are synchronized. After I solved the problem, I was ready to install the client program.

The installation itself takes only a few seconds, after which the DirectControl system displays a message about joining the domain. I liked this feature because it removes any doubts about having to add a machine to the domain. In the Settings window, you can manually set the user's home folder (/home/username), UNIX ID, and group ID, or you can let DirectControl's Auto Zone configure these settings automatically. Fine-tuning the UNIX ID and Group ID is important if you are integrating a UNIX or Linux machine into AD, but since I integrated the machine with a Mac system, I chose Auto Zone mode. It worked great.

Keeping a log directly in the settings window is very convenient. I accidentally misspelled the domain name and the log entry was very helpful in resolving the issue. After joining a computer to a domain, a reboot is recommended.

After rebooting the MacBook Pro machine, I was able to login as a domain user. I didn't have to add the domain name domain\ before the username or add it to the end (@domain). Since this was my first time logging in with this account, I was prompted to change my password. After I entered the new password, the download process continued.

Credential caching works out of the box. To test this feature, I unplugged the network cable, disabled the AirPort network card, and logged out. When I tried to log in again, the cached credentials were used to log in, and soon I was back to the desktop in front of me.

Returning to the domain controller, I found a new Centrify Profile tab on the properties pages of the Users and Computers objects in the Active Directory Users and Computers snap-in. On the computer properties page, this tab contains read-only information such as the version of the client software, the type of zone being used (in my case, Auto Zone), and whether the client is using licensed or unlicensed features. On the user properties page, this tab contains customizable information. Although it is not necessary, when you integrate Macs into an AD domain, you can configure some settings on UNIX and Linux systems, such as the UNIX ID, username, shell (/bin/bash), home folder, and primary group.

DirectControl is integrated into the Group Policy Management Console (GPMC). As you can see in Figure 1, you can easily manage Mac clients. For example, I disabled automatic login. Just like Windows machines, you can configure an OS X machine to log in automatically. However, unlike Windows machines, this feature is not disabled the moment the computer joins the domain. If the user knows the local administrator password, he can configure the machine to boot without checking the password. I disabled this option in just a few clicks.

DirectControl provides a handy Mac utility called the DirectControl Widget. It shows information about the status of AD services, Kerberos, AD accounts, and AD group membership. To install this widget on your Mac, click the Go link, select the iDisk option, click the Other User's Public Folder button, go to the Centrify section, and double-click the DirectControl Widget link.

Likewise Enterprise

Likewise Software Likewise Enterprise
FOR: support for Mac, UNIX and Linux clients.
AGAINST: the concept of “cells” may be confusing and is unlikely to be useful to small companies; The choice between Non-Schema Mode and Schema Mode during the installation process is difficult to understand for an untrained user.
GRADE: 4 out of 5.
PRICE:$69 per workstation (bulk discounts when purchasing 50 or more licenses).
RECOMMENDATION: If your UNIX and Linux clients use different methods for authentication and you need to leave UNIX IDs and group IDs intact, Likewise Enterprise's "cell" mechanisms may come in handy.
CONTACT INFORMATION: Likewise Software, 425-378-7887 or 800-378-1330, www.likewise.com

The installation guide makes it clear that you should not install Likewise Enterprise directly on a domain controller. Instead, we recommend that you install it on a separate server running the Windows Server 2008 operating system. Alternatively, you can install it on a computer running Windows 7, Windows Vista, or Windows XP. Likewise Enterprise extends AD's built-in administrative tools (that is, GPMC and Active Directory Users and Computers) so that these tools must already be present on the computer on which Likewise Enterprise is installed. Microsoft Management Console (MMC) 3.0 is also required. Because MMC 3.0 is not compatible with Windows 2000, you cannot install Likewise Enterprise on Windows 2000 Server.

Once the Likewise Enterprise installation is complete, a wizard will guide you through the setup process, including selecting a mode and setting up a cell in AD. The wizard confused me a bit and I had to re-read the manual to understand what the installation mechanism was trying to do.

Mode selection. Both the forest and the domain were running in Server 2008 functional mode, but the wizard still advised me to use Non-Schema Mode, a mode that supports the Windows 2000 AD directory service. If you are using Windows 2000 AD, you will have to install Likewise Enterprise on a computer running Windows XP or later Windows and extend the schema. Also, the instructions in the wizard are incomplete, but I figured them out. To enable Schema Mode, a mode in which Likewise Enterprise takes advantage of the RFC 2307 standard, you will need to exit the wizard and run the separate Schema Mode wizard, which can be found under Console->Enterprise Console->Status. Even though both the forest and the domain were running in Server 2008 mode, the wizard claimed that certain parameters (for example, uid, uidNumber, gidNumber) were indexed and present in the AD global catalog.

The choice of mode (Schema Mode or Non-schema Mode) depends on what operating system the domain is using. If you are using Windows 2003 R2 or later, you do not need to make any schema changes in the domain and you should enable Schema Mode. If the domain is running on an earlier version of the Windows platform, there are two options. You can use Non-Schema Mode and store user or group data in multivalued keywords and user and computer account object description attributes. Or, if you're feeling confident, let Likewise Enterprise expand the schema for you.

Cell setup. Similar to zones in DirectControl, cells in Likewise Enterprise allow you to logically group machines that are not running Windows and manage their settings (such as UNIX IDs and group IDs). Like zones, cells are logically connected to departments. Using this structure, you can create a cell for each department or security perimeter in your company and assign a user to one or more cells using the Likewise Settings tab in the Active Directory Users and Computers snap-in.

After installing and configuring the server software, you can proceed to installing the client program on each Mac computer. You can deploy it manually using a boot disk, or use a silent installation mechanism that uses the Secure Shell (SSH) protocol. Apple gave the SSH protocol the name Remote Login, which can be accessed through the System Preferences menu by selecting Sharing. The PDF manual provides an excellent step-by-step walkthrough of how to install the client software using SSH.

Next, you need to join the computer to the domain using the Likewise - Active Directory tool, which is located in the Directory Utility section. Like the built-in Active Directory Connector in OS X, Likewise - Active Directory allows you to select the container or organizational unit in which to create the computer account object.

Likewise Enterprise is tightly integrated with Group Policy. Figure 2 shows how easy it is to set up local administrator rights for a domain user or group.

If your infrastructure allows for Mac authentication and you want to migrate all settings to AD, Likewise Enterprise can import passwords and group files for Mac, UNIX, and Linux systems using built-in migration tools. These settings are automatically mapped to users and groups in AD.

If your environment uses local authentication and your user profiles were created on OS X, you'll probably want to migrate them to new domain-authenticated accounts. For example, one of your employees has been using a MacBook Pro laptop for a year, and now you want them to authenticate to the domain. As with Windows, an OS X machine will create a new profile the first time a user logs in. The Migrate User Profile tool will migrate the old local profile to the new domain profile. When that employee logs into the domain with their new account, they will see the same desktop they are used to.

Authentication Services

Quest Software Authentication Services
FOR: automatic client installation and domain joining via a graphical interface; support for Mac, UNIX and Linux clients.
AGAINST: price.
GRADE: 4.5 out of 5.
PRICE:$37 per user and $65 per computer.
RECOMMENDATION: If you serve a large community of Mac, UNIX, and Linux systems, then the Authentication Services package is the best choice. You can install the software from your desk without having to deal with complex zone and cell concepts.
CONTACT INFORMATION: Quest Software, 800-306-9329, www.quest.com

Installing the Authentication Services solution requires that the Microsoft.NET Framework 3.5 SP1 and Windows PowerShell packages be installed on the system. The Authentication Services installation engine will install (and even help you download) all the necessary components. The installation process will also check whether the AD schema supports the product. As with the other programs discussed here, schema extension is not required if you are using Windows 2003 R2 or later.

Unlike DirectControl and Likewise Enterprise, Authentication Services does not use zones or cells, making the product very easy to configure. The Add and Join Host wizard will guide you through the installation process, which includes the following.

• Adding and profiling hosts (clients). The server on which Authentication Services is installed must have name permissions for Mac clients. The client must dynamically add itself to the DNS database as a Windows 2000 or later machine. However, I had mixed results. If you can't get the hostname on OS X, make sure you have an A record in the DNS database for the client.
• Checking clients for readiness to join the domain. The AD Readiness check verifies that the client is ready to join the domain. In my case, I received an error message that said that the "time skew" (that is, the difference between the domain controller's time and the client's time) was so large that the client could not join the domain. I noted that the error message was clear and short, unlike the ActiveDirectory Connector service, which produces encrypted messages.
• Installing client software. When I tried to install the client program, the error message I received stated that Authentication Services could not find the client version for Mac OS X 10.6. I checked the suggested path and found that the client program file (VAS-4.0.1.52.dmg) was missing. After I downloaded the VAS-4.0.1.52.dmg file and copied it to the source folder, the installation completed without any problems.
• Joining clients to an AD domain. A root account password or administrator password is required to join a client to a domain.

I really liked the Add and Join Host wizard. You can add a client to a domain without leaving your desk, as long as the SSH protocol is running on Mac computers.

Once the client is added and joined to the domain, you won't need the special tools included with Authentication Services. The main benefit of this product is the range of features it adds to the GPMC (Figure 3). Adding printers is just one of many features that you can manage using Group Policy mechanisms.

To log into a domain from a non-Windows machine, the AD user account must have the UNIX-enabled option selected on the Quest tab of the account object settings page in the Active Directory Users and Computers snap-in. This will create the necessary UNIX IDs and group IDs.

Overall, I find Quest's product easy to install and use. If you're working with a mix of machines running different versions of UNIX, Linux, and Mac clients, put Quest at the top of your list of candidates.

AdmitMac

Thursby Software ADmitMac
FOR: no need to install server software on data center servers.
AGAINST: Mac clients only.
GRADE: 5 out of 5.
PRICE:$84 per 250-seat computer, $60 per 500-seat computer (discounts available).
RECOMMENDATION: If you work only with Mac clients and do not plan to include machines with UNIX and Linux systems in your environment, then the AdmitMac solution is definitely your choice. A robust client program and no server side form the best solution I've seen for integrating OS X into AD.
CONTACT INFORMATION: Thursby Software, 817-478-5070, www.thursby.com

The AdmitMac system has a completely different structure than the other three products, so I decided to review it last. What makes this product different is that it is designed only to integrate Mac systems into an AD architecture. Other products focus on UNIX and Linux, with Mac support being secondary. The AdmitMac package is a solution for Mac systems, nothing more and nothing less. This fact does not make it better or worse than the other three. If you are integrating a set of UNIX, Linux and Mac systems into a Windows environment, then it is better to use one of the products discussed above. If you are only integrating Mac clients, you should look at AdmitMac first, as its sole purpose is to make Mac clients work as well as Windows clients.

Unlike other products, the installation of which begins with the server part, in the case of the AdmitMac system, the client software is first installed. After you use the boot disk to install the AdmitMac program, the Setup Assistant will help you configure the AdmitMac service network software. The first screen is somewhat surprising, as it asks for information about the WINS settings. You can either manually enter the data or specify that you will receive it from the DHCP server.

The next screen determines Security Policy Settings—which protocol the Mac will use to log into the Windows domain: Kerberos, NTLMv2, NTLM, or LAN Manager (LM). The default settings use NTLMv2 or Kerberos first, then NTLM, and never LM. You can configure the AdmitMac client to use plaintext passwords, but obviously in this case your network must have another means to protect authentication data.

The next step is to add the Mac client to the domain. After you enter your domain name, the system will ask you for your network administrator username and password. You can then specify where exactly in the AD structure the machine account will be created. By default, the Computers container is selected.

Finally, you need to select the type of home folder (network, local or mobile) in which the user’s settings and documents will be stored. You can also specify how many times a user can log in without connecting to the network.

That's all there is to adding and joining a Mac client to a domain. But the AdmitMac directory service has more features. Like other products, AdmitMac allows you to map UNIX IDs and group IDs to AD accounts, but this is done through a client program. You can also impose restrictions on departments. For example, if you enter the name Sales in the settings for the Users OU, then only those user accounts that are in the Sales OU will be able to log in to that computer.

Although the AdmitMac system is controlled from a server, there is no need to install software for this. As Figure 4 shows, system management uses Group Policy files with the extension . adm. Since the files do not use the new format. admx, they are stored in the Server 2008 GPMC console. However, this does not change the fact that Group Policy support is provided to Mac clients without installing additional software on the server - only templates are added. adm.

To add templates, you need to run the executable file (ThursbyADMInstaller.exe), which will copy them from the installation disk to the domain controller. The default destination path is C:\Windows\inf. Once the copying is complete, you can use control templates just like any other templates. Simply right-click on the Administrative Templates shortcut, select Add/Remove Templates from the context menu, click the Add button and locate the AdmitMac.adm template file.

Editor's Choice

DirectControl, Likewise Enterprise, Authentication Services, and ADmitMac can integrate and manage Mac systems into an AD domain. Every product provides easy domain login, but so does OS X's built-in Active Directory connector. What sets these products apart is that they allow you to manage Mac clients in the same way as Windows clients.

DirectControl and Likewise Enterprise solutions operate similarly. Both programs allow you to logically group objects that use a system other than Windows.

The special thing about the Quest package is that it does not require additional costs. In addition, you can use the central console to install client software and add the client to the domain. This is very important if you need to integrate many Macs into AD.

The AdmitMac system comes out the winner, as this review focuses on Mac-to-AD integration solutions. This solution copes with this task better than its competitors, with a slight advantage. Using the AdmitMac package does not require special server software, and the client program contains many additional functions.

Eric Rucks ( [email protected]) - senior Windows network administrator at a large consulting company