A Mac joined to Active Directory will have a computer account and you can restrict access to that Mac as you would any PC. You can also grant members of certain AD groups, such as the various admin groups, local admin privileges. Beyond this, the only management capability relates to whether user credentials and home directory items are cached on Mac notebooks so that users can log in when they leave your network and sync automatically when they return.
Some versions of Apple's Active Directory plug-in have proved problematic in certain Active Directory environments. Because of the scalability and flexibility of Active Directory, troubleshooting these problems can be burdensome. Early versions of Lion displayed issues with Active Directory, though the 10.7.2 update appears to have resolved most of them.
Leveraging Active Directory for Mac client management
Apple has traditionally relied on Managed Preferences for client management. Often abbreviated as MCX, Managed Preferences act like Active Directory Group Policies, providing a powerful, granular system for configuring a complete user environment, including system settings and application preferences. Like Group Policies, Managed Preferences can also be used to restrict access to applications and system components.
Managed Preferences are stored as LDAP objects and attributes in a directory system. Any LDAP schema, including Active Directory, can be extended to support Managed Preferences without having to rely on Apple's OS X Server and Open Directory to provide client management via Managed Preferences.
There are three primary ways to implement Managed Preferences in an Active Directory environment:
- Extend the Active Directory schema: Using Microsoft's Active Directory Schema Analyzer, you can scan Apple's Open Directory schema and create LDIF files that can extend the Active Directory schema with all the object data needed to support Managed Preferences data. You can then use Apple's Workgroup Manager (freely available as part of the OS X Server Admin Tools package) to populate and manipulate that data -- pointing to an Active Directory domain controller instead of an Open Directory server running on OS X Server. Workgroup Manager can also perform a handful of user management tasks for Active Directory, though the preferred (and safer) option is to use it only for client management.
- OS X Server and augmented records: With Leopard and Leopard Server, Apple introduced what are known as augmented records. In this approach, OS X Server is installed and configured to connect to an existing directory, typically Active Directory. Once joined to Active Directory, the Mac server imports user data and groups from the primary directory into a secondary directory that it maintains. Mac clients connected to this secondary directory rely on the primary directory for authentication, single sign-on, and access to network resources, and the Mac server appends attributes to the primary directory's records to provide client management and Mac-specific services. Although effective, this approach is better suited for Mac-based departments that are isolated within a larger organization, as it doesn't scale well and limits administration to OS X Server's simplified admin tool set.
- The magic triangle: This option also requires OS X Server. In this case, however, the server hosts a full secondary directory system that scales through use of Open Directory replication. That server is joined to Active Directory, and clients are joined to both Open Directory and Active Directory. Groups specific to Mac systems and users are created in the secondary directory, then are populated with Active Directory users. Managed Preferences are set using these groups. This solution, which is usually implemented using OS X Server's advanced administration tools, is more scalable than using augmented records. This scalability, however, is limited to Open Directory's replication parameters, which are adequate for most environments, but not on par with that of Active Directory.