In this article we continue our trolley ride through the wild and wooly world of applying Active Directory logon scripts to Mac OS X users and client computers. To get up to speed on our discussion, please read the inaugural installment: Deploying Active Directory Logon Scripts in Mac OS X Part 1: Basic Approaches
In part 1 we confronted the awful truth that, at least without relying upon third-party tools, we must re-create our Active Directory logon scripts (which typically perform actions such as mounting SMB shares and print queues) for our Mac clients.
Today we turn our attention to the Mac OS X Server 10.6 Snow Leopard operating system, and how we can leverage Open Directory, Apple’s implementation of Lightweight Directory Access Protocol (LDAP) directory services, to deploy enterprise login scripts.
NOTE: In this series we use Mac OS X Server Snow Leopard instead of the newly released Mac OS X Server 10.7 Lion because the vast majority of current installations run Snow Leopard (not to mention that initial reviews of Lion Server are so dreadfully poor).
As a necessary prerequisite, we need to have a Mac set up with Mac OS X Server Snow Leopard. More to the point, we must configure the Mac server as an Open Directory Master. The specific clickthroughs for deploying Open Directory are outside the scope of this piece. In the meantime, check out these helpful resources:
You will be pleased to know that you can apply the vast majority of your Active Directory skills to the Mac’s Open Directory environment. Essentially, Mac OS X Server Snow Leopard is a pastiche of several tried-and-true open source packages: there is OpenLDAP (Open Directory) for directory services, Apache for Web server functionality, and so forth.
You can verify that your Open Directory Master is online and functional by opening Server Admin and selecting Open Directory from your service list.
Verifying Open Directory server status
Preparing Your Login Scripts ^
As we discussed in the previous article in this series, one option for defining your Mac-based login scripts is to use UNIX shell script files. These files have the extension .sh by default.
For advice on creating shell scripts in the Mac environment, check out these resources:
- Bombich.com: Mac OS X Management Custom Shell Script Library
- ScriptGUI: Graphical shell script authoring tool
The catch here is that we need to be sure to mark our shell scripts as executable prior to deployment by Mac OS X Server. To do this, issue the following command from Terminal:
chmod +x filename.sh
Making a shell script executable
Preparing Your Client Computers ^
In order for your Mac OS X client computers to download and interpret your Mac OS X Server-based login scripts, we need to run the following commands on each client from a root Terminal session:
sudo defaults write com.apple.loginwindow EnableMCXLoginScripts -bool TRUE
sudo defaults write com.apple.loginwindow MCXScriptTrust -string Authenticated
Preparing Mac clients for enterprise login scripts
What we are doing here is establishing two system-level defaults. What the MCXLoginScripts and MCXScriptTrust properties do, in essence, is configure the client to trust the Mac OS X Server computer and to enable it to receive login script files from same.
Your best bet for enabling these configuration options on your entire fleet of Mac computers is to create a master OS disk image that contains these settings and then use that master image to deploy Mac OS X to your other computers.
NOTE: The acronym MCX in Apple nomenclature stands for Managed Client for OS X).
Deploying the Scripts ^
In Mac OS X Server we use Workgroup Manager to administer user, user group, computer, and computer accounts. We also use Workgroup Manager to set managed preferences for our user base. You might consider Workgroup Manager to be a combination of Active Directory Users and Computers and the Group Policy Management Console (GPMC).
Fire up Workgroup Manager and authenticate to Open Directory (marked with 1 in Figure 4). Next, click Accounts (2), and then navigate to Computer Groups (3).
Logging into Workgroup Manager
Our goal is to create a new Computer List that includes our target Mac OS X client workstations. Click New Computer Group (marked as 1 in Figure 5) and name the group. Next, click the Members tab (2) and populate the group with selected computers (3).
Creating a computer group
It is worthwhile to note that if you have integrated Open Directory with Active Directory, you can add Mac Active Directory computer accounts and user accounts into your Open Directory computer and user lists.
Unfortunately, Open Directory-Active Directory integration is beyond the scope of this article. However, you can find some really good advice by consulting the following sources:
- Active Directory/Open Directory Integration Overview
- AD/OD Integration [PDF]
- Using Workgroup Manager with Active Directory Part 3 [PDF]
Now that we have all the essential elements set up, let’s get to the good stuff—actually linking our executable shell script to our newly created computer list. In Workgroup Manager, click Preferences from the toolbar, select your target computer list, and then click Login from the preference list.
Managed preferences in Workgroup Manager
Next, navigate to the Scripts tab and select Always for Manage:. Select Login Script and click the ellipsis button to browse to your executable script file.
If you also want to enable any login hooks that may be defined on the client computers, then check Also execute the client computer’s LoginHook script. Finally, click Apply Now to apply your changes.
Binding a login script to managed clients
Whew! We covered quite a bit of ground in this lesson. While integrating Apple Open Directory with Microsoft Active Directory is all well and good, this might be too much configuration for some Windows systems administrators.
To that end, we shall complete this three-part article series with instructions on how you can deploy enterprise logon scripts to your Mac clients by installing a lightweight third-party tool. In the meantime, please feel free to leave your thoughts in the comments portion of this post. Thanks for reading and take care!