Using Active Directory to manage Macs in a Windows environment

He's a Mac, she's a PC, and you're a Windows admin. Learn to integrate Mac OS X clients into your Windows environment without causing AD headaches.

More companies today have begun allowing users to choose their own computers or notebooks for business use. As a result, figuring out how to manage such a heterogeneous mixture of machines is becoming more and more important.

While some folks may choose to plop a Linux machine into your network, the vast majority of employees will choose between a modern version of Windows -- which will play nicely of course with your existing Active Directory infrastructure -- and the increasingly popular Macs. For starters, at the very least you and your users probably want the following:

  • Seamless access to the network where users can use their own login IDs
  • Protection of system access and privileges on the Mac, in a similar way to Windows machines
  • Easy access to file shares and network resources on both platforms
  • Centralized management of both Mac and Windows computers using native, or quasi-native tools

The question is, how do you get there? Let's take a look at some of the options, ranked by price.

The inexpensive option: Apple's Active Directory plug-in

Apple has offered an Active Directory plug-in ever since Mac OS X 10.3. It's built into the operating system, and therefore has already been paid for and requires no other investment but time. It offers full integration (authentication-wise) with Microsoft Active Directory, so that each individual Mac computer on the network has a computer account in AD and is considered a member of the domain. The Mac OS X also uses Kerberos, so password policies and other authentication restrictions are fully enforced.

In a best-case scenario, the Active Directory plug-in for Mac OS X will allow the following:

  • A Mac OS X computer can live in a forest with multiple domains.
  • Mac users can be granted administrator access based on their Active Directory group membership.
  • Users must follow AD password policies, and they can be fully controlled.
  • Through Kerberos, Active Directory users only sign on once and can access all authorized resources.
  • Administrators can enable mobile accounts for portable computers.
  • A preferred domain controller can be identified if necessary.
  • According to Apple, users can have network-based home directories, local home directories, or a combina¬tion of the two called Portable Home Directories, which are similar to roaming profiles on Windows.

The plug-in is aware of a network's Active Directory site structure. It will first query the global catalog (found using standard DNS lookups) and then select two domain controllers from all site DCs that respond. The plug-in can then failover to other domain controllers if there's a problem communicating with the ones it initially selected.

So what can't the plug-in do? Namely, Group Policy. More specifically, the Mac OS X client can't natively consume Group Policy Objects (GPOs), meaning much of the power of AD outside of the directory service is lost on Macs without the use of third-party solutions. You still need a package that can manage your Macs, even if they can authenticate to the Windows directory service.

For more information on the plug-in, check out Apple's whitepaper on integrating Mac OS X with Active Directory.

The more expensive option: Third-party tools

To overcome the no-GPO limitation of Apple's built-in tool, you have to look at a third-party solution, which unfortunately means more budgetary outlay. There are two main options currently on the market: Centrify's DirectControl and ADmitMac from Thursby Software Solutions .

DirectControl does a better job of integrating the Mac experience with Windows than any other solution. It installs as a plug-in on the client and adds a collection of GPOs to the server that can then talk to that Mac client plug-in. It does this by copying a registry file, interpreting and reformatting that file into Apple's MCX architecture and format, and importing that to the workstation.

As a result, native Windows administrators can use the tools and functionality familiar to them to manage both Macs and Windows from a single pane of glass. If your organization uses smart cards for authentication, DirectControl can handle that on the Mac as well.

The other primary tool on the market, ADmitMac, is also quite capable, but in my experience doesn't have the same polished integration with native Windows tools, which is immensely helpful for admins unfamiliar with Mac OS X.

Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS, Learning Windows Server 2003, Hardening Windows and most recently Windows Vista: Beyond the Manual.

This was first published in June 2009

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close