Primary Project Goals:
Place All Mac 10.5.6 systems into Active Directory
Create a method to run a login script whether manual or automated
Secondary Project Goals:
Create an automated method to run a login script.
Map windows fileserver shares within a login script.
You will need an enterprise or domain admin account as well as a local mac system admin account to perform this integration.
As you are going thru the steps you will often need to unlock (the pad lock in the bottom left) many options. Make sure to lock them back as you click apply, ok, exit, etc.
First the steps to add the Mac to active directory (as a local system admin)
1.) Open Directory Utility (Go > Utilities > Directory Utility)
2.) Click the Services tab
3.) Check the Active Directory option
4.) Click the Directory Services tab
5.) Click the (+) icon and add your domain (for me that’s gwnet.local) – you will need an enterprise or domain admin account within active directory to add the mac
Second the steps to make the login prompt more active directory friendly (as a local system admin)
1.) Open System Preferences (Apple Icon > System Preferences)
2.) Open account options (double click on accounts)
3.) Disable auto login
4.) Change “display login window as” to “name and password”
5.) Check “show input menu in login window”
6.) Uncheck “show password hint”
7.) Check “allow netowrk users to login to this computer”
8.) Uncheck “fast user switching”
Third the steps to give active directory admins administrative rights on the local pc (as a local system admin)
1.) Open Directory Utility (Go > Utilities > Directory Utility)
2.) Click the Services tab
3.) Select the active directory option (make sure you do not uncheck it – just select it)
4.) Click the little pencil icon in the bottom left
5.) Click the administrative tab
6.) Check the “Allow administration by:” and ensure “YOURDOMAIN\domain admins” is are included (for me that’s “GWNET\domain admins”) – feel free to add any other groups that need administrative access – (I also added a group named “GWNET\mac admins” where I placed the mac power users). To add additional groups you will need your domain shortname and the name of the active directory group. Click the (+) icon and type in groups as “YOURDOMAIN\your active directory group”.
Fourth is to create a logon script (as active directory user or local user):
I only needed to map windows shares during login but you can include pretty much whatever you need in your login script / application.
1.) Open the apple script editor (in utilities) and create a login script. The script I use is something like this:
——–
Set strUserName to do shell script “whoami”
set strFileServer to “Fileserver”
set strMount to “smb://” & strFileServer & “/” & “sharename1″
mount volume strMount
set strMount to “smb://” & strFileServer & “/” & strUserName & “$”
mount volume strMount
——–
This script would find the currently logged on username then mount a typically named share (sharename1) in this example. The script would then mount a specific hidden user accessible share (in this example “\\Fileserver\gw$” assuming gw was the logged on active directory user.
2.) Now save the script as an application. Ensure you do not have leave open or run startup window enabled. I choose to save the app in the /users directory but pretty much anywhere accessible to the users is ok.
Fifth is to set the logon script / app you made to the active directory users that will be loggin on to the mac.
1.) Log out of the local system admin account and log in as a an active directory admin.
2.) This will create a profile for the given active directory user (a desktop, documents, etc folder in the /users directory).
3.) Open System Preferences (Apple Icon > System Preferences)
4.) Double click accounts.
5.) click the user you would like to add the login script to. Probably the user you are logged into now.
6.) click the advanced options.
7.) Click the login items tab.
8.) Click the (+) icon.
9.) Browse to the location where you saved the app / script you created (for me that’s the /users directory) and select it.
10.) Next time the user logs on they will be able to access the new shares by clicking on Go > Computer.
Tags: 10.5.6, Integrating Mac 10.5.6 into Active Directory, Mac Login Script, Mac OS Active Directory, Mac windows file shares
April 8th, 2009 at 1:37 pm
Excellent how to! Work well for me but when mapping share from the script, it always ask for a password. Since I am log on the ad with the right user, it’s not suppose to ask the password twice?! Another question: is there is a way to add shared printer in the script?
Thanks
April 9th, 2009 at 2:38 pm
Question 1: You should not be asked for a password when using the script to “map” a resource to which the user logged into the mac system has access. So if I log onto the mac with the AD user gwlabperson and that account is allowed to access \\fileserver\gwlabperson$ then the script would not prompt me for additional authentication. It will just mount. I verified this for about 30 AD users all using the script above in 10.5.6 so I’m wondering where the differences in our setup are.
Question 2: I haven’t tried adding printers to the script but I have a project in about 1 month to set up another mac lab with AD sign on. It’s almost certain they will want to include printers and if I get it working in a script I’ll post it here.
April 23rd, 2009 at 11:42 am
this is a great note GW. i followed your instructions and now my my is in the domain. the only problem is that is does not load my home directory from the network. i am very new at scripting when i try to use your example it.
Set strUserName to do shell script “cavila”
set strFileServer to “DET-HURLEY-02”
set strMount to “smb://” & /Hurley02Users/CustRelations & “/” & “CAvila″
mount volume strMount
set strMount to “smb://” & strFileServer & “/” & strUserName & “$”
mount volume strMount
i get error before saving the script as application without checking any boxes
“”Expected “given”, “in”, “of”, expression, “with”, “without”, other parameter name, etc. but found unknown token.”"
can you help?
April 23rd, 2009 at 12:52 pm
Ok try this:
Set strUserName to do shell script “whoami”
set strFileServer to “DET-HURLEY-02”
set strMount to “smb://” & strFileServer & “/CustRelations/” & strUserName
mount volume strMount
April 28th, 2009 at 2:08 pm
Hi I to need to add a map shared printer at log on for domain users can you help.
April 28th, 2009 at 3:51 pm
Yeah that seems to be a popular issue – as I pointed out to lags above I haven’t actually tried mapping a printer yet. However, only about a week or two before I will be starting on the project I mentioned in the reply to lags.
If I get a map printer solution working or if someone stops by the site and leaves their experience with mapping printers at logon I’ll add that info.