11 Replies Latest reply on Sep 15, 2016 1:29 PM by patgmac1

    Network Home Folder in AD Enivronment

    philcebutv Apprentice

      Wanted to ask if anyone here had done a network home folder for macs in an AD environment.

       

      On our OD setup this was configured mainly for our labs. I was wondering if this can be done in AD. Our home folders location is accessible via either SMB or AFP

       

      can someone share their experiences if any? what are the issues you encounter as well..

        • 1. Re: Network Home Folder in AD Enivronment
          philcebutv Apprentice

          found this will have to try this tomorrow..

          documents.software.dell.com/authentication-services/4.1/mac-os-x-administrators-guide/configuring-the-authentication-services-client/automatically-mount-network-home-folders/mount-the-windows-home-folder-or-profile-path

          • 2. Re: Network Home Folder in AD Enivronment
            patgmac1 Expert

            If you mean having a portable home directory (PHD's), don't do it. They haven't worked well for several years.

            If you mean mounting a network home folder at login is specified in the users AD account record, that works fine.

            • 3. Re: Network Home Folder in AD Enivronment
              philcebutv Apprentice

              Hi Patrick,

               

              I am talking about both. I think you need both when doing PHDs. I remember in OD there was that option to automount the home folder shares in WGM (I think ). However, I am not sure if this is possible in AD environment.

               

              How are you guys doing it on your labs or kiosk then? guest accounts?

               

              Phil C.

              • 4. Re: Network Home Folder in AD Enivronment
                patgmac1 Expert

                No, you can't do PHD's purely with AD but you can with a Profile. But seriously do not do PHD's!

                 

                For our labs, we simply bind to AD, set the AD plugin to do mobile accounts with local home folder. You can optionally set an account expiry (via Profile) so they delete themselves.

                 

                If your users have a network home folder, you can mount that share via a Profile as well so users can save data to it. Preferably mount at the share level so something like "HOME" is on the desktop, then enable 'access based enumeration' on the share so the users only see folders they have access to (less confusing).

                • 5. Re: Network Home Folder in AD Enivronment
                  juchtman Apprentice

                  We do it by like Pat said, don't do it.  We are going to drop it starting next school year.  Its a royal pain. We are doing it via profiles. Home folder is mounted in the dock.

                   

                  -Jeff

                  • 6. Re: Network Home Folder in AD Enivronment
                    philcebutv Apprentice

                    Thank you Patrick and Jeff. We will keep this in mind when we deploy AD to all our Macs.

                    • 7. Re: Network Home Folder in AD Enivronment
                      patgmac1 Expert

                      As an alternative to binding to AD, you might consider this new project https://gitlab.com/Mactroll/NoMAD, which is an alternative to Apple's Enterprise Connect (which requires a 2 day Professional services engagement and about $5000).

                      • 8. Re: Network Home Folder in AD Enivronment
                        andreav Rookie

                        We are using PHD since we adopted Mac OS X in the late 2007 and we loved it. Unfortunately, as Patrick said, Apple seems to have left users of this amazing feature out in the cold: the support for PHD is getting worse at each new release.

                         

                        But the feature is so useful (and we are so brave) that we are managed to support it until now: we moved from Open Directory servers to Samba 4 AD domains, in which we injected the Apple LDSP schema additions. Thus we are still able to manage MCX Preferences and Mobile Account settings from Workgroup Manager running on Mac clients joined to AD.

                         

                        We evaluated the Profile Manager alternative, but it's a poor option from our perspective, since these policies are applied "per computer" only, and they are not enforceable at user or group level.

                         

                        With a bit of work, it is still a working scenario (even if I won't suggest it for large environments), but it's really a shame that Apple actually dumped this feature!

                        • 9. Re: Network Home Folder in AD Enivronment
                          patgmac1 Expert

                          Andrew Valsania wrote:

                           

                          We evaluated the Profile Manager alternative, but it's a poor option from our perspective, since these policies are applied "per computer" only, and they are not enforceable at user or group level.

                           

                          With a bit of work, it is still a working scenario (even if I won't suggest it for large environments), but it's really a shame that Apple actually dumped this feature!

                          Profile Manager is just meant to be proof of concept. Is there a reason you're not using LANrev for profiles? It can apply at the group or user level.

                           

                          BTW, PHD's are gone in Sierra. https://support.apple.com/en-us/HT206871

                          • 10. Re: Network Home Folder in AD Enivronment
                            andreav Rookie

                            Actually it wouldn't change much in our environments, since we manage several different companies, each of them with its own AD forest, from a central IT group: we do not have their AD groups available in our LANrev setup.

                             

                            But as we know, PHD are (unfortunately) dead... we'll have to find other solutions in order to maintain a sort of seamless user experience on different computers. Obviously it won't ever be as comprehensive as PHD, but... they'll have to deal with it: that's technological innovation, baby! (bah!)

                             

                            However, Configuration Profiles deployed via LANrev sounds as a good idea. We have not tested it yet, do you confirm that's a good working feature?

                            • 11. Re: Network Home Folder in AD Enivronment
                              patgmac1 Expert

                              Andrew Valsania wrote:

                               

                               

                              However, Configuration Profiles deployed via LANrev sounds as a good idea. We have not tested it yet, do you confirm that's a good working feature?

                              Works as good as any. Ultimately, it's all locally installed profiles. Whether it be LANrev, Casper, or Profile Manager. They all can manage the same things and have the same limitations (similar to MCX/OD). The difference is how those profile are assigned. You assign them the same way you would software in Server Center. Except you have the choice of:

                              • Auto-install profiles
                              • Auto-install, Auto-remove profiles
                              • Forbidden Profiles

                              In most cases, I use the Auto-install, auto-remove, because if a machine falls out of scope of that group, it'll remove itself. You can also do one-off pushes of profiles just like you do with software (except you're limited to pushing 1 at a time, GUI limitation).

                               

                              In 7.3 (released today), they finally added OS X variables.