My god, it's Full of Macs!

If you’re managing Macs in an environment where Active Directory is used you might be considering how you can integrate the two, or you might be asked what the options are.  I’ve been doing research and testing on this for a few years so I thought I would share what I’ve learned.  I’m breaking this down into four options – but really there are countless combinations that you could deploy.  Please ask questions (or post corrections!)  in the comments.

Option Zero: Starting from Scratch

If you’re currently building and deploying images that incorporate all of your settings without using any directory services your computer management looks something like this:

What’s the downside here?  When you want to make a change in settings, you have to re-image your Macs.  This is probably the most common but least efficient way to support your Mac users.  If you decide you want to start using domain accounts on your Macs and you bind one of the Macs above to Active Directory and log in, you’ll get a generic user account and have very little control over how that account is configured.  Why would you want control over that account?  Not to control the users behavior or how they use the technology, but to provide them with the best environment for their work; to give them more access.  What kind of access? – network resources like printers, network drives and other services.  So how do you control the settings and preferences for the user accounts once your Mac is bound to Active Directory?  You use MCX:

(The line “the only way to do some things” is borrowed from Greg Neagle’s (Senior Systems Engineer at Disney) presentation on MCX.  He said it so well!)

Option 1: Dual Directory with local MCX

This brings us to the first option for managing Macs in an Active Directory environment.  In this configuration (Option 1) your Macs are authenticating to Active Directory and when the user logs in, the settings are determined by MCX on the local image.  To configure those settings you use Workgroup Manager which is available in Apple’s free download “Server Admin Tools.”  Once you’ve set up the MCX settings for a group of domain users, you can update these MCX settings by deploying changes with Apple Remote Desktop.

Option 2: Dual Directory with MCX on OS X Server

Alternatively, you can centralize those MCX settings by moving them off of the local hard drive (out of the local directory) and onto an OS X Server that is bound to Active Directory.  That means when you use Workgroup Manager to make a change on the server it is applied to every client bound to that server.  The clients are bound to both Active Directory and to Open Directory (on the OS X Server).  They authenticate with Active Directory and get their settings from the OS X Server.  That brings us to what is commonly called “The Golden Triangle.”

Option 3: Extend the Active Directory Schema

You don’t have to host these MCX settings on an OS X Server, they can be kept inside attributes and objects in Active Directory.  But to do that, you have to extend the Active Directory Schema. That brings us to the third option.

Click for streaming video from Apple on extending the AD Schema to support MCX.

Option 4: Third-party Software

You can purchase third-party software that will do some of this work for you and provide some ability to control Macs from Active Directory.  The software available includes Centriy DirectControl, Thursby AdmitMac and Likewise Enterprise – but here’s why I don’t suggest going that route:

• $80-100 per seat software cost
• Requires production server downtime
• Adds an entirely new set of management tools on the network side (for example: DirectControl Management Tools)
• Installs a client on every Mac
• Requires installation of add-ons to the client on every Mac whenever we add a feature
• Makes you dependent on a 3rd party plug-in and that vendor for access to basic network services
• Has the potential to hold you hostage to vendors timelines because:
• The plug-in might not allow you to upgrade or patch your servers when you are ready
• The plug-in might not allow you to upgrade your Macs when you are ready

If you have Mac users with network homes, you might have decided to redirect the users cache (~/Library/Caches) to a temporary folder on the local drive (/tmp/%@/Caches for example).  I did this at the GC because without the redirection, the users cache fills up their network home and suddenly they can’t load web sites or use applications.

But, Microsoft Office applications don’t like this at all.  They want to save your working file to the temporary items (~/Library/Caches/TemporaryItems) folder and then copy that over to the final destination when you save.  But if the temporary items folder is on the local drive and the user is saving to the network home, they might get an error saying something like “Word cannot save this document due to a naming or permissions error on the destination volume.”

How do you get around this?  Well, this isn’t the whole solution, but it’s a start.  I’m still testing and trying to figure out how to really fix this – but so far what I’ve done is re-redirect the temporary items folder back into the users network home.  I did it with another MCX entry.  We manage our Macs with local MCX settings (no Apple server running directory services here) so that means adding another listing in “com.apple.MCXRedirector.”  I chose to redirect it like this:

Action: deleteAndCreateSymLink
Destination Folder Path: ~/Library/TemporaryItems/%@
Folder Path: ~/Library/Caches/TemporaryItems

Which looks like this in Workgroup Manager:

This seems to solve the problem for MS Office – but not text edit.  I’m not sure why but still working on it.

(This is the first of a series of guest posts by Elizabeth Housley, a doctoral student in the Environmental Psychology program at the Graduate Center.  She is setting up Moodle for her Social Psych course at Hunter this summer and will be blogging about the experience here and on her blog Our Future Environment.)

The idea to use a moodle, rather than blackboard or some other alternative, has been an on-again, off-again discussion for me for what amounts to a couple of years.

As mentioned a few days ago, I set up a moodle for my social psychology class this summer. The course starts July 13th at Hunter. If you want to look at what’s up so far, you must enrol: ourfutureenvironment.org/moodle

If you have taught social psychology or used the moodle with college students, please give me some advice!

I decided to set my moodle up just a few weeks ago (as opposed to talking about doing it) after discussing with a friend (as most ideas tend to happen) about whether we liked bluehost and what it offered compared to other hosts. I had never explored any of the extra available plugins on the bluehost c-panel, and was surprised to see they endorse/make available a moodle. Setting up a basic moodle within bluehost was a simple point and click operation.

(I briefly considered buying a new domain separate from my blog but thought keeping the two related might help me maintain my blog and moodle if this process is more transparent to students. What have other instructors done in this situation?  Are there very many out there who run an online learning environment separate from the institution?)

I would think an instructor with at least a blog, regardless of technical ability level, would be more likely to take the initiative to use a moodle within a class if he or she knew it was easy to set up and use. I know I’m being too optimistic. But, from my current work experience as a fellow in a technology and literacy program in NYC public schools, the teachers who are in their 20s to mid 30s and have been teaching only a few years are more likely than others to spend time using technology in the classroom. This translates into only the CUNY adjuncts who dislike blackboard or the commodification of education being the only ones most likely to use a moodle….

Blog posts to come:

Help, everyone thinks I’m spam!

Moodle, despite its tendency to one-sided creation, does incite creativity and interaction unheard of in blackboard.

Ok, so its set up, now what?

Elizabeth Housley, a a doctoral student in the Environmental Psychology program, is setting up Moodle for her Social Psych course at Hunter this summer and will be blogging about the experience here.

Elizabeth has extensive experience working with Blackboard alternatives with Project Stretch, a technology-based literacy program developed by the Stanton/Heiskell Center for Public Policy in Telecommunications and Information Systems. We’re looking forward to reading about her experience using this tool as an alternative to Blackboard in her course.

The new Mac Media Lab on the concourse level of the Mina Rees library is open during library hours.  Some days, the lab might be reserved for a class or a workshop.  There is a new link above that will take you to the calendar as well as a new sidebar item with buttons. You can always get there by going to:  http://tinyurl.com/gcmaclab

The XML button will give you the RSS feed of the calendar. The ICAL link will allow you to subscribe to this calendar in iCal, Outlook or Google Calendars. The HTML link will give you the calendar on screen.