This brings up the important questions, “Okay, but how do I accomplish this goal?”
Thus, unless we turn to third-party tools, we have to face the unavoidable conclusion that we must maintain a separate login scripts for Mac OX clients. Two notable examples are Centrify DirectControl and PowerBroker Identity Services. NOTE: Third-party products exist that do allow for Group Policy processing on Mac OS X systems.
In point of fact, Group Policy is utterly irrelevant to the Mac OS X operating system. The preceding information is all well and good, but where does that help us with respect to applying logon scripts to Mac OS X clients? While Apple has given us rudimentary integration with Active Directory, a Mac system cannot process a DOS shell script or VBScript file-Macs simply do not have the appropriate command interpreters available to them out of the box. The logon script files themselves need to be stored in the NETLOGON share of one of your domain controllers Active Directory replication ensures that all domain controllers possess a copy of the login script file. This ensures organizational policy compliance while simplifying synchronization of the login keychain and the user account password.We deploy login scripts by using either Group Policy or the user’s domain account properties sheet. With local-only accounts, a password policy can be applied with a configuration profile. If the user can’t provide the previous password, there’s an option to create a new login keychain. The user must provide the previous password and the new password to update the login keychain data store. When the user reconnects to the directory service and logs in, the remote directory service is updated and the Mac is unable to unlock the login keychain. If the network account password is changed while a Mac isn’t actively connected to the directory service, it’s only changed in the locally cached credential store. By default, the password to decrypt this data store is the same as the user account password, and it’s automatically unlocked at login. The login keychain is an encrypted data store in the user’s home folder that contains sensitive information such as app and internet passwords, as well as user certificate identities. The locally cached credential store (/private/var/db/dslocal/) This process ensures that the user account password is changed in three locations: Select the mobile user account in the sidebar, then click the Change Password button. A green indicator means the directory service is available. To verify connectivity to the directory service, click Login Options in the sidebar of the Users & Groups preference pane, then check the Network Account Server field. To change a mobile user account password on a Mac that’s bound to the directory service, open System Preferences, then click Users & Groups while the computer is connected to the directory service.
0 kommentar(er)
