In a previous post, I discussed using
ldapsearch to look up user data from AD. In this post we will use the user’s memberOf attribute to mount the appropriate file share.
Some background on my use case for this. The company I work for has ~15,000 Windows computers in use bound to AD. When a user logs in, a GPO runs a batch file hosted on the domain controller’s file share. The batch file is basically a large case statement
if in group A; then
mount shares X and Y
if in group B; then
mount share Z
I wanted to provide our Mac users with a similar experience. Read how below the break. Continue reading
It has been common for Macs to be bound to Active Directory for a variety of reasons. Recently, the trend has been to move away from binding due to password/lock out issues, the rise of cloud based services, and SSO options that are more comprehensive of the services users need.
With the move away from binding, one thing we lose is the ability to look up user and group data with
dscl. Here is a decent primer on
dscl: http://www.macos.utah.edu/documentation/authentication/dscl.html (just replace every instance of netinfo with dslocal in your mind).
With this move we need another tool to query for information and
ldapsearch can do this for us. There are a lot of ways to use
ldapsearch depending on your end goal. This post will discuss getting user data out of an Active Directory server. In a future post I hope to explain how I am using this to mount the appropriate file shares for users based on their group membership. Continue reading
[Update 7/20/17] As of 10.12.6 RepairHomePermissions still fails with error: Unable to launch the underlying task process. Also my bug report has been marked as a DUPLICATE OF 25393689.
[Update 1/26/17] As of 10.12.3 RepairHomePermissions still fails with error: Unable to launch the underlying task process.
One of the areas that hasn’t gotten much coverage with the update to Sierra is the Recovery HD. This is the minimal OS environment that lets us do things like reinstall the OS, restore a Time Machine backup, and partition volumes before an install.
The other thing that Recovery allows us to do is to reset forgotten passwords. Originally, we could do this by booting off the install CD/DVD. Once those went away Recovery HD gave us a Reset Password option in the Utilities menu. That went away in Yosemite(?) but we could get the same functionality by choosing Utilities -> Terminal and running the resetpassword command.
This reset password utility would also allow us to reset a users home folder permissions, including the default ACLs.
Now with macOS Sierra v10.12, this has changed again. Continue reading