AD groups nested within OD groups fail to pick up MCX policies
| Originator: | stuart.ramdeen | ||
| Number: | rdar://15583898 | Date Originated: | 04-Dec-2013 04:26 PM |
| Status: | Open | Resolved: | |
| Product: | OS X Server | Product Version: | 10.9.0 |
| Classification: | Other Bug | Reproducible: | Always |
Summary: In a managed network environment, MCX settings applied to OD groups that have AD groups nested within them fail to take effect on login. Steps to Reproduce: 1) Bind OD Master to AD 2) Create OD workgroup 3) Drag an AD user group in to the OD group 'members' section 4) Apply some MCX to the OD group 5) Log in to a Mav machine that is bound to OD and AD as a user that is in the nested AD group 6) Scratch head and wonder why the settings applied in step 4 do not apply Expected Results: For MCX to apply correctly. Actual Results: No group MCX settings appear to apply. Regression: Works as expected under 10.8.5 client with server.app 2.x Notes: Workaround appears to be: Open AD domain using workgroup manager Find group that you want to manage Export the group via WGM Switch to the OD within WGM Import the previously exported group into OD Change the name and group ID to avoid any possible conflicts There will now be an OD group present containing all of the members that are in the AD group. Any MCX applied to this 'proper' OD group will now apply to clients on login.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!