Oh the temptation…

Great video from our creative team.  Laughed really hard, especially since so many of my friends’ kids were the “actors”.

See the full message on Temptation at www.watermarkradio.com

Adding Macs to an Active Directory Domain – Part One

We continue to add more and more Mac computers to our network.  Up until now, we have been happy to simply have the Macs be standalone machines, and haven’t wanted to undergo the learning curve to add them.  We are now at a point where managing user accounts and access has become difficult, and we want to move all of our Mac users onto network accounts.  Thus begins our journey into the abyss.

Starting out, the Mac integration seems simple enough.  Using the built-in Directory Utility, you are able to bind the Macs to the domain with very few issues.  Simply entering the fully qualified name of the active directory domain and clicking “Bind” should do the trick and add the machine to AD just like a Windows machine.

directory-utility-3

You are presented with several advanced options during this process.

directory-utility

Our first hurdle was determining what each of these options do.  In a nutshell, here were our findings (and our default settings above.)

  • Force local home directory:  This is something you will want to do, especially if you want applications to be available when users are off the network.  Not checking this box will place a ton of files on your server in the “network user home” directory.  That means that applications get installed here, the library folder is here, music is here, etc.  Not a good thing if you are a laptop user or are ever offline, and it creates more network traffic as well.
  • Use UNC path from AD:  Checking this box will map the AD user home folder upon login and will place it on the dock by default.  This is pretty useful if you have users who use their network folder a bunch.  In our situation, our network home folder in the windows environment was mapped to the user’s My Documents using Group Policy and offline files, so most of our users have a lot of documents there.
  • Default user shell:  Just leave it as it is.  /bin/bash works just fine.
  • Create mobile account at login:  This is the most tricky one. So we’ll talk about it later in detail.

Here is what show up under the mappings tab of Directory Utility.

directory-utility-1

Unless you really have a need to change anything here, it works great when left alone with the defaults.  And then we are left with the administrative tab.

directory-utility-2

The administrative tab is important for administering the machine.

  • Prefer this domain server: This is fine if you really want to set it, but is not really necessary in our case.
  • Allow administration by:  This is useful when the user is connected to the network and will allow the active directory network user account to make changes on the local machine… if they are a member of one of the groups added here.  In our testing, this seemed to only take effect at the GROUP level not at the user level, meaning we were unsuccessful in adding an individual user here for administration.  ALSO NOTE <ALERT> i.e. this is important! This seems to work fine when a user is connected to the network, however, what happens when the user is at home and can’t see the network?  Any guesses?  If you guessed that the user’s admin privileges are not cached and the user WILL NOT have administrative privileges when they are offline, you are correct.  Impact of this is that a network user goes home and while at their house needs to install an update, etc.  Because they can no longer see the network they will not be able to approve the update unless they have a second local user account with admin rights.  Not good, and probably confusing to the user.  This is a pretty major flaw in my opinion.

Mobile Accounts

Let’s talk a little more about creating mobile accounts. Creating the mobile account at login seems like a great thing to do.  In fact, it is the ONLY way that your users will be able to login using their network credentials when they are offline.  (Under Tiger, there was an option to cache credentials, which has now been replaced by Mobile Accounts.)  As we have previously mentioned though, if the user is offline they are no longer an admin, which really limits the ability of the user to administer the machine when off the network.  In addition, the mobile account user will be able to sync their folders between the network and the local machine.  This is great in theory, however not nearly as intuitive as Microsoft’s offline files, which automatically determined the latest version and save the appropriate one.  In the Mac implementation of sync, the user has to choose which version of the file to keep, which is dangerous in my opinion, and an extra burden on the user.  We choose NOT to sync the files for these reasons.

So where did we finally land on integrating our Macs with Active Directory?  Due to the limitations of offline administration and creating mobile accounts we decided to take a look at a few third party products.

Next time:  How we implemented Macs in Active Directory with Admitmac.

Exploring Genesis

As part of our additional resources for Join the Journey, Blake Holmes will be bringing us an overview of each book as we travel there together.  For more information on the Journey, go to www.jointhejourney.com

Come back for more as they are available

Join the Journey Devotionals

Today is the day for my devotional to appear on our Journey site. (www.jointhejourney.com)  Here is the text of a story that frankly I can really relate to… Pride.  You can sign up to receive our daily walk through the Old Testament on the site.

Traveler’s Log

Scott Miller

January 12, 2007

Today’s Passage: Genesis 11

My name is Scott Miller and I am blessed to be married to my best friend in the world, Shannon. We have two little girls, Morgan who is almost 4, and Ashlyn who just turned 2. I’m very much outnumbered in my house, but these girls have taught me more about myself than I ever thought possible. I’m also blessed to serve here at Watermark as the Director of Technology doing work that I really enjoy and for which I have a passion. One thing that most people don’t know about me is that I studied music in college as a percussionist and once had plans to be a professional musician.

Key Verse:

Then they said, "Come, let’s build ourselves a city and a tower with its top in the heavens so that we may make a name for ourselves. Otherwise we will be scattered across the face of the entire earth." (Genesis 11:4)

Central Truth:

A man’s pride will bring him low, but a humble spirit will obtain honor.

THE PRIDE OF LIFE

I was on top of the world. I had my college diploma in my hand. I had graduated at the top of my class. I had a great job lined up for the taking.

I had done it all. Good friends, a great dating relationship – life was good. I had gotten there through hard work and dedication. I was going to take on the world. And no one could tell me I was wrong. Besides, what did they know?

Looking back at that period of my life, I was building my personal tower of Babel one brick at a time. But it wasn’t long before I found myself bewildered with broken friendships, a broken marriage and a job that was disappointing.

Pride comes so naturally for us, and pride is the story of Genesis 11. Instead of filling the earth as God purposed, man decided to band together to make a name for themselves. In response, God put down those who desired to exalt themselves. The scattering to all parts of the earth which resulted, reveals something about God’s nature: God will accomplish His plan, either with our cooperation or without it.

Genesis 11 is also a pivot point in God’s plan for mankind. Out of the dust of Babel the story of redemption begins to unfold. The genealogical record traces the line from Noah’s descendants down to Abraham and it is a beautiful picture. God saved the human race once through Noah and it is through this lineage that God will reveal His chosen people through Abraham. And it is through this lineage, the line of David, that God will reveal His Messiah, Jesus, who will save the human race for eternity.

In the pain of my past, the Lord taught me a lot about pride. Still, I find myself needing constant reminders of humility. Fortunately, we have Jesus who held the power of the universe, yet humbled himself to death on a cross. He did it for me and for you. Nothing humbles me more than this.

Discussion Questions:

1. What are the towers of Babel, the areas of pride, that you have built in your life and need to deal with today?

2. Are there individuals in your life who know when you exaggerate the truth in order to make yourself look better? Are they the kind of people who will call you to humility?

3. Read Proverbs 8:13, 11:2, 16:18 and 29:23 and see what this book of wisdom teaches us about pride.

Join the Journey Promo

Get ready to join us on the Journey 2007…  A guided reading of the Old Testament from Creation to the Cross.  For more information about Join the Journey 2007 and to sign up to receive daily email devotionals, go to www.jointhejourney.com and click the link to sign up for 2007.