Active Directory login scripts in Mac OS X – Part 2: Using Open Directory

In the second part of our series of Active Directory login scripts in Mac OS X you will learn how to deploy the contents of Active Directory logon scripts to Mac OS X clients by using Open Directory, the LDAP directory service in Mac OS X Server.

Timothy Warner By Timothy Warner - Tue, September 6, 2011 - 2 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN. Check out his new book Windows PowerShell in 24 Hours.

Articles in series

Active Directory login scripts in Mac OS X

In this article we continue our trolley ride through the wild and wooly world of applying Active Directory logon scripts to Mac OS X users and client computers. To get up to speed on our discussion, please read the inaugural installment: Deploying Active Directory Logon Scripts in Mac OS X Part 1: Basic Approaches

In part 1 we confronted the awful truth that, at least without relying upon third-party tools, we must re-create our Active Directory logon scripts (which typically perform actions such as mounting SMB shares and print queues) for our Mac clients.

Today we turn our attention to the Mac OS X Server 10.6 Snow Leopard operating system, and how we can leverage Open Directory, Apple’s implementation of Lightweight Directory Access Protocol (LDAP) directory services, to deploy enterprise login scripts.

NOTE: In this series we use Mac OS X Server Snow Leopard instead of the newly released Mac OS X Server 10.7 Lion because the vast majority of current installations run Snow Leopard (not to mention that initial reviews of Lion Server are so dreadfully poor).

The Setup

As a necessary prerequisite, we need to have a Mac set up with Mac OS X Server Snow Leopard. More to the point, we must configure the Mac server as an Open Directory Master. The specific clickthroughs for deploying Open Directory are outside the scope of this piece. In the meantime, check out these helpful resources:

You will be pleased to know that you can apply the vast majority of your Active Directory skills to the Mac’s Open Directory environment. Essentially, Mac OS X Server Snow Leopard is a pastiche of several tried-and-true open source packages: there is OpenLDAP (Open Directory) for directory services, Apache for Web server functionality, and so forth.

You can verify that your Open Directory Master is online and functional by opening Server Admin and selecting Open Directory from your service list.

Open Directory Mac OS X - Verifying Open Directory server status

Verifying Open Directory server status

Preparing Your Login Scripts ^

As we discussed in the previous article in this series, one option for defining your Mac-based login scripts is to use UNIX shell script files. These files have the extension .sh by default.

For advice on creating shell scripts in the Mac environment, check out these resources:

The catch here is that we need to be sure to mark our shell scripts as executable prior to deployment by Mac OS X Server. To do this, issue the following command from Terminal:

chmod +x

Open Directory Mac OS X - Making a shell script executable

Making a shell script executable

Preparing Your Client Computers ^

In order for your Mac OS X client computers to download and interpret your Mac OS X Server-based login scripts, we need to run the following commands on each client from a root Terminal session:

sudo defaults write EnableMCXLoginScripts -bool TRUE

sudo defaults write MCXScriptTrust -string Authenticated

Open Directory Mac OS X - Preparing Mac clients for enterprise login scripts

Preparing Mac clients for enterprise login scripts

What we are doing here is establishing two system-level defaults. What the MCXLoginScripts and MCXScriptTrust properties do, in essence, is configure the client to trust the Mac OS X Server computer and to enable it to receive login script files from same.

Your best bet for enabling these configuration options on your entire fleet of Mac computers is to create a master OS disk image that contains these settings and then use that master image to deploy Mac OS X to your other computers.

NOTE: The acronym MCX in Apple nomenclature stands for Managed Client for OS X).

Deploying the Scripts ^

In Mac OS X Server we use Workgroup Manager to administer user, user group, computer, and computer accounts. We also use Workgroup Manager to set managed preferences for our user base. You might consider Workgroup Manager to be a combination of Active Directory Users and Computers and the Group Policy Management Console (GPMC).

Fire up Workgroup Manager and authenticate to Open Directory (marked with 1 in Figure 4). Next, click Accounts (2), and then navigate to Computer Groups (3).

Open Directory Mac OS X - Logging into Workgroup Manager

Logging into Workgroup Manager

Our goal is to create a new Computer List that includes our target Mac OS X client workstations. Click New Computer Group (marked as 1 in Figure 5) and name the group. Next, click the Members tab (2) and populate the group with selected computers (3).

Open Directory Mac OS X -Creating a computer group

Creating a computer group

It is worthwhile to note that if you have integrated Open Directory with Active Directory, you can add Mac Active Directory computer accounts and user accounts into your Open Directory computer and user lists.

Unfortunately, Open Directory-Active Directory integration is beyond the scope of this article. However, you can find some really good advice by consulting the following sources:

Now that we have all the essential elements set up, let’s get to the good stuff—actually linking our executable shell script to our newly created computer list. In Workgroup Manager, click Preferences from the toolbar, select your target computer list, and then click Login from the preference list.

Open Directory Mac OS X - Managed preferences in Workgroup Manager

Managed preferences in Workgroup Manager

Next, navigate to the Scripts tab and select Always for Manage:. Select Login Script and click the ellipsis button to browse to your executable script file.

If you also want to enable any login hooks that may be defined on the client computers, then check Also execute the client computer’s LoginHook script. Finally, click Apply Now to apply your changes.

Open Directory Mac OS X -Binding a login script to managed clients

Binding a login script to managed clients

Conclusion ^

Whew! We covered quite a bit of ground in this lesson. While integrating Apple Open Directory with Microsoft Active Directory is all well and good, this might be too much configuration for some Windows systems administrators.

To that end, we shall complete this three-part article series with instructions on how you can deploy enterprise logon scripts to your Mac clients by installing a lightweight third-party tool. In the meantime, please feel free to leave your thoughts in the comments portion of this post. Thanks for reading and take care!

Series NavigationActive Directory login scripts in Mac OS X – Part 1: Basic Approaches - Active Directory login scripts in Mac OS X – Part 3: Third-party alternatives

-1+1 (No Ratings Yet)
Your question wasn't answered? Please ask in the new 4sysops forum!

2 Comments- Leave a Reply

  1. avatar jesse says:

    The OS X versions are incorrect based on the given names. Snow Leopard is 10.6 and Lion is 10.7.

  2. avatar Tim Warner says:

    Hi Jesse. Thanks for your sharp eyes! We corrected the post. -Tim

Please share your thoughts in a comment!