[MacTUG] Binding to golden triangle via scripting

Steve Hellyer phasetwo at apple.com
Mon Oct 11 14:24:11 EDT 2010 

Hi Don,

Careful this is not trivial even if you do this binding manually.  Here is an example why…

Let assume Joe Doe is one of the staff bunch as you described.  Currently he has his own machine on his desk and he is the admin of his own computer. User UID 501 with short name johndoe.

You go and bind the machine to AD and OD manually and to keep this simple you have added John Doe to Active Directory as johndoe but of course UID will be some large unique AD let say 15150. Also to make this easier you have the AD admin set password to be the same as he has now.

At to the login screen you type johndoe with password.  You get all Johns files but it's NOT login into AD because Mac always checks authentication locally first.  OK to get around this you change his AD account shortname to be johndoeAD.  This way he enters johndoeAD and the local account will not accept his login and thus moves on to be authenticated to AD/OD network. Only problem is now he loses access to his original files on local drive because he is user johndoeAD 15150 instead of the local user johndoe 501.  Clearly John won't be very happy about not be able to access is original file and other preferences.

So you will need to migrate his data from the old local account.  Not trivial as you need an admin account and knowledge of his new UID or perhaps copying his files to external drive to then copy back to when he logs into his new account. In other words it's a hands on process.

Other thing to consider (not sure if this is situation in your staff bunch) but your staff have enjoyed admin privileges but now that they are a user on AD/OD they are not allowed to install software and perform update etcs…  An true local Administrator (you?) now performs this for the staff.  Certainly more secure and centrally manageable  but you will need to socialize staff to new user limitations.

Automated process…

Apple does have scripts that will do this moving all data in place but it's sold by Apple Professional Service group and comes with support for tailoring to unique situations that come up at each account. This service has been quite popular in K-12 boards when Mac are going from unmanaged to managed situation.  I have seen it work but it does need some consultant guidance from the experts who put this together in APS.

"In new installations engage Apple Professional Services.  APS has a package installer (the "Universal Bind Script"), usable with both Apple Remote Desktop and DeployStudio, that they can custom-configure for your customer.
 
Among other functions, the package creates a computer record in Open Directory and can add it to computer groups if desired.  Further the script provides key words such as: Ethernet address, Airport Address, Serial number, Model Identifier, OS Version, and OS build.  This could be extended for other keywords as well.  The keywords could then be used to add to additional groups that may or may not have been added at the time of the bind.
 
This package can be created as part of a Remote Consulting or Onsite engagement."


Wanted to give you a heads up on all this before you get too deep into something that which on the surface seem easy but in actual fact is a complex procedure. There are prerequisites for these scripts to work. For example the local shortname must match the AD shortname and their maybe other I am unaware of at this time.  Not sure cost but if your interested I would be happy to find out for you.  Clearly it will take you time to do this manually but not sure how much and what the value might be relative to cost of these professional services.

At least perhaps you have a sense of what is involved.

Hope this helps and Happy Thanksgiving,

Steve

On 2010-10-08, at 4:37 PM, Donald Duff-McCracken wrote:

> I have a bunch of staff machines that are currently not managed that I want to bring into the old golden triangle system. For new machines I think I will likely rebuild them using deploystudio and get deploystudio to bind them to AD/OD.
> 
> But that leaves the already existing machines that I would like to turn into managed macs. OK, it is not that hard to bind macs to OD/AD — especially when I a text file named “OU= Stafffaculty, OU=Computers,OU=Resources,OU=Environmental Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA “ on my desktop, haha.
> 
> So while it is not that onerous to manually bind the existing staff/faculty macs, I have been thinking about writing a script to do so, and then wrapping that script in a compiled applescript or making it a package for ARD deployment. Has anyone done this on campus? Quite frankly, I likely will not put a lot of energy into this as it only something I will use for the existing machines (as all new machines will likely be bound via deploystudio), but I thought I would check out if anyone has already tried this out.
> 
> Don
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug


-------------------------------------------------------
Steve Hellyer
Pre-Sales Systems Engineer
Education Division (Higher Education)
Apple Canada Inc.
7495 Birchmount Rd.
Markham, Ontario, Canada
L3R 5G2

PH: (905)513-5647
Mailto: phasetwo at apple.com

Training Websites
http://training.apple.com/
http://www.witzapplecertifiedtraining.com/

AppleCare Online Support
http://www.apple.com/ca/support/

AppleCare Technical Phone Support
tel:1-800-263-3394  (basic up and running support for individual consumers)

AppleCare Enterprise Level Support
http://www.apple.com/ca/support/products/macosxserver_sw_supt.html

AppleCare Service Locations (Canada)
http://www.apple.com/ca/buy/locator/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.uwaterloo.ca/pipermail/mactug/attachments/20101011/a422ac27/attachment-0001.html

More information about the MacTUG mailing list