[MacTUG] Binding to golden triangle via scripting

Steve Hellyer phasetwo at apple.com
Tue Oct 12 10:40:42 EDT 2010 

Hi Don,

Glad this helped.   If you want to allow your staff to still have admin privileges after you bind to AD system you can tackle this a few ways.

A) Create a second and separate local admin account which they enter credentials when prompted by installer.  Don't give out your admin account you use to manage using ARD.  This is a security hole but not much bigger than what is in uses now.

(At our DeployStudio TechTalk we talked about and show how to create a hidden admin account. This is ideal for your account in these situations because it allow you access and they are not aware of it and thus can't delete it.)

or

B) Create something like an envstudiesadmin group in AD and place staff users in it.  Then in the AD plugin say this group has rights to admin this machine.

In both cases this has security implications because any staff can walk up to a machine and admin it.

I personally dislike too many cooks in the admin kitchen because it can cause confusion. In the end you must weigh the personal needs of staff to install their own software they purchase with need for security.  This is when we usually lean on faculty and/or University policy.  For example... if it faculty policy to only have faculty purchased software then that makes it easy to deny user installation.  However, you might be missing out when staff member has found a new piece of software which might be valuable. Not only to them but to others as well.
A good constant feedback loop from staff is key to happy users and your own system administrator sanity. :-) Naturally finding the right balance is something unique to every faculty.

I would be very interested in learning more about what each faculty is doing in this area.  Perhaps at a future MacTUG meeting?
Send me a note and I will make every effort to be their.

Cheers,

Steve


On 2010-10-12, at 9:39 AM, Donald Duff-McCracken wrote:

> Thanks for both of your responses, Ian and Steve!
> 
> Ian that stuff looks interesting and I have not seen that PDF you sent the link to before. It was an interesting read.
> 
> Steve, I will likely listen to your voice of caution and for the existing Macs I will manually migrate them to AD. (I do USUALLY list to you, even if it is sometimes eventually, haha. )You raised a good point that most of my users are (currently) Admin-type accounts, and I likely can trust them to stay that way for the time being. Given that I will need to touch these machines to create a new local admin account, and possibly mess around with their existing one, for the relatively small number of users I am going to do this to I will for the time being do it manually. 
> 
> Again, thanks for all that info both of you, I learned something and perhaps others did too!
> 
> For the new machines it is easier. I will likely use deploy studio to install packages, etc and while I am doing that I can get it to bind to AD/OD. For the existing Macs, maybe I will roll binding them to AD/OD and letting ARD manage them into my upgrade to Office 2011 when that happens.
> 
> Thanks...
> Don
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug

-------------------------------------------------------
Steve Hellyer
Pre-Sales Systems Engineer
Education Division (Higher Education)
Apple Canada Inc.
7495 Birchmount Rd.
Markham, Ontario, Canada
L3R 5G2

PH: (905)513-5647
Mailto: phasetwo at apple.com

Training Websites
http://training.apple.com/
http://www.witzapplecertifiedtraining.com/

AppleCare Online Support
http://www.apple.com/ca/support/

AppleCare Technical Phone Support
tel:1-800-263-3394  (basic up and running support for individual consumers)

AppleCare Enterprise Level Support
http://www.apple.com/ca/support/products/macosxserver_sw_supt.html

AppleCare Service Locations (Canada)
http://www.apple.ca/buy/locator/
Select Service Locations from pull down menu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.uwaterloo.ca/pipermail/mactug/attachments/20101012/0fa53202/attachment-0001.html

More information about the MacTUG mailing list