The excitement of installing a new version of macOS, especially if its a High Sierra 10.13, is only tempered by the possibility of it not working properly or not being compatible with the apps you use most.
Troubleshooting Certificates in Safari for Mac OS X. This article helps you troubleshoot various certificate related problems in Safari on Mac OS X. Whenever troubleshooting a certificate related problem, the first step is to check that your certificates are. While most new versions of macOS are relatively problem-free, it’s not unknown for users to have issues – particularly with a beta or.0 release. Thankfully most are easy to resolve. Here’s how to fix the most common High Sierra issues. High Sierra installer won’t download.
Before you begin upgrade to macOS make a bootable backup
If you haven’t started the process of upgrading yet, check if the Mac is compatible with macOS High Sierra and make a bootable backup.
Do it now, before you do anything else. If things go disastrously wrong at least you’ll be able to boot from macOS’ Recovery partition and migrate all your data back to your Mac. You can use any backup tool you like – Apple obviously favours Time Machine, but you don’t have to use it. You can use, for example, Get Backup Pro, which comes with your Setapp subscription. Don’t have a Setapp subscription? Click here to sign up.
While most new versions of macOS are relatively problem-free, it’s not unknown for users to have issues – particularly with a beta or .0 release. Thankfully most are easy to resolve. Here’s how to fix the most common High Sierra issues.
If you’re trying to download the macOS High Sierra installer, you’ll need to have signed up to App Store. If you’ve done that, and managed to start the downloading process only for it to fail, force quit the App Store app.
If the download completes successfully but the installation doesn’t finish, force quit the installer using the same procedure as above.
If that doesn’t work, try deleting the downloaded installer (it’s in your Applications folder) using CleanMyMac and download it again.
If you have a copy of macOS Server in your applications folder, that may be the root of the problem. Delete it and try again.
Check console.app and if you’re getting errors from sandboxd and hidd (IOKit), your problem is a third party software. It’s probably because it wasn’t supported by the new APFS file system. It tries to repeatedly update causing your Mac laptop to be stuck in an endless loop. To fix this issue, just find and remove this app and everything will be fine.
If your Mac hangs and you can’t do anything at all, wait up to half an hour to see if that helps. If not, force your Mac to restart by holding down the power button and waiting for it to shutdown and then start again.
Fix macOS problems
A top-notch selection of tools for fixing High Sierra issues. Try what works for you the best, free of charge.
In case you’re getting tired of you new OS kicking you out of your account on random occasions, there’s a chance it’s pretty easy to turn it off. For instance, there is a setting in your Security & Privacy menu that is responsible for that.
You can go even further and turn off the need to enter your password every time you open your Mac or turn it on. In the same Security menu find General settings and uncheck another box, the one saying “Require password after sleep or screen saver begins.” As you can tell, though, that it not the most secure option, especially if it’s your work computer or if you can expect other people getting a hold of it.
If the problem occurs when you’re using Chrome browser, disable the hardware acceleration feature: look for Advanced menu in its settings and turn off hardware acceleration.
It’s not a nice thing to find out after getting a brand new system, but some Macs have been struggling with USB devices after the upgrade. If your Mac is one of them and refuses to see or read USB drives, external drives, and so on, try resetting SMC.
We’ve explained earlier in the article how to do it, but here’s brief instruction. For all laptop Macs like MacBook, MacBook Pro, and Air, simply turn it off and then on again, while holding Shift + Control + Option and the Power button for 10 seconds.
For iMac, Mac mini, Mac Pro, and Xserve, You start my turning off your Mac and then unplug the power cord. Chill for about 15 seconds. Look out of the window or something. Plug the cord back in, wait a couple of seconds and turn your Mac on.
If the problem remains, you can try to reinstall High Sierra or consult with customer support at Apple. Sugar smash gratis.
The only known and relatively famous security issue with the latest macOS is the password stealing code created by security researcher Patrick Wardle. Long story short, he showed that if he wanted to (and you allowed him by installing his malicious code on your Mac), he could extract your passwords from Keychain without having your master password for the system.
If you look into it, it all boils down to “Don’t get into white vans with strangers and don’t install suspicious software from shady developers on your Mac.” Basic safety precautions. Make sure you visit the developer’s website, make sure you install signed apps from trusted sources. That’s about it.
To check your safety settings, go to System Preferences > Security & Privacy > General and see if ‘App Store and Identified’ developers is selected.
Meanwhile, Apple is reportedly working hard on patching up the breach.
In case you’ve just upgraded to the new macOS and your Mac runs slower than it used to, worry not. It’s common and it’s not exactly an issue. The thing is that your Mac is reindexing a bunch of files while running a new system and it slows down its productivity and performance.
For 12-24 hours your Mac could experience these trouble and they are still within the range of normal behavior. If your Mac is running slow a few days after the upgrade, try some Mac-optimizing utilities to fix it. For instance, there is an app called CleanMyMac that can remove system junk and speed up your Mac. It’s a Mac cleaner with a set of handy utilities, some of which might come in handy.
For instance, one of the reasons for your Mac slowing down could be that some apps hog too much RAM. To see if this is the problem, try opening Activity Monitor and see which apps take to much processing power. If some of them seem to be exceedingly greedy and you’re pretty sure that’s not how it’s supposed to be, you can reset them.
To fix RAM-consuming apps, use the special module in the CleanMyMac app that we mentioned earlier, Uninstaller. Simply open CleanMyMac, go to Uninstaller, find the app in question and click Reset. The app will then lose its preferences and stored info and roll back to default settings. It’s basically like reinstalling it but without the hassle.
If your Mac goes all the way and becomes completely unresponsive or even needs rebooting, follow the instruction in our guide on how to speed up a slow Mac after installing macOS.
With every macOS upgrade there are older versions of apps that are no longer supported by their developers. One casualty of High Sierra is Microsoft Office 2011 for Mac. Microsoft has said that it will not offer support for it running on new macOS and it’s likely you’ll have problems with it. The only solution is to upgrade to Office 2016.
For other apps, upgrade them and check the developer’s website for details of High Sierra support. Even if an app doesn’t work with the new version of the new OS, it’s possible its developer is still working on support and it will work by the time macOS ships.
If you want to delete an app – perhaps because you’ve replaced it with a newer version – use CleanMyMac Uninstaller to make sure you delete all the files associated with the app.
A few things can go wrong with your Mac’s display after the upgrade, so let’s see what can be done when they occur. You might experience troubles waking your Mac from sleep, when the display just never comes live or it does, but minutes after you’ve jammed every key on the keyboard.
Then you might also experience flickering of certain images while browsing the web. The last issue is a grey screen or a blue screen that signal something going pretty wrong with the whole Mac-to-display connection.
What you need to do to fix it is resetting your NVRAM. It’s that kind of memory that unlike regular RAM is non-volitile which means it keeps info when your Mac is turned off. That’s why simply turning it off and on again won’t help. Anyway, it’s a quick fix.
That should do it.
One of the issues that has been reported the macOS High Sierra is with wifi signals. To analyse your wifi network after installation, use WiFi Explorer or NetSpot, both available in Setapp. Both these tools map the wifi networks within range of your Mac and identify areas where signals are either strong or weak. By using one of these apps, you should be able to tell if your Mac is having wifi problems.
If you can’t identify a problem and can’t connect to a network, try switching wifi off in the Finder menu bar, waiting 30 seconds and switching it back on again.
Not much has been reported about Bluetooth issues on macOS High Sierra at the moment. However, there’s always one infallible piece of advice to give: re-pair your device. Find the Bluetooth icon in the upper right corner and open its preferences. If you can’t see it there, go to System Preferences and find Bluetooth menu.
Hover on the device in question and click the X-mark next to it. This not just disconnects the device, but removes it entirely from the list until you pair it back. To restore the device, set it into the painting mode and when it shows up in the list below, click “Pair.”
Ramping up performance and adding new features while avoiding putting more strain on a battery is tough. So don’t be surprised if your Mac’s battery (if it’s a laptop) doesn’t last as long after upgrading. Use iStat Menus, available in Setapp, to monitor battery life – as well as CPU usage, fan speeds, temperatures and a host of other data. That way you’ll be able to tell if your battery really is performing less well after upgrading.
Your Mac use more power when it’s processor is under stress – partly because it generates heat which needs fans to cool it. So quit any apps that are hogging processor cycles if you’re not using them. You should also update apps to their most recent versions, and could turn down your screen’s brightness and move somewhere cooler if you’re sitting somewhere that’s particularly hot.
If your Mac’s battery hasn’t been its best self since the upgrade, try checking where the problem is. Open Activity Monitor > Energy and see which apps take up the most. Browsers and rendering software is expected to be energy-heavy, so that’s normal.
But if you’re seeing some minor applications you rarely use taking up a chunk, consider uninstalling them. You can use the specially-made CleanMyMac's Uninstaller for the job, because just dragging an app to the trash doesn’t uninstall it fully.
In case you either see mail notification for less then a second or don’t see it at all, there might be a problem with settings. Try checking if you have the notifications turned on in System Preferences > Notifications. Does you alert style say “Banner”? If it does but the problem remains, change the alert style from 'Banner' to 'Alert' or 'None'. After that you can switch it to 'Banner' again and from now on it should work fine.
This part is for gamers only. If any of these names ring a bell for you, don’t rush to upgrade: 'Cities: Skylines', 'Civilization V', 'Team Fortress 2,' 'Half-Life 2,' and 'Counter-Strike: Global Offensive.'
Developers of these games and of the Unity engine, joined by threads on Reddit and Steam, have all voiced concerns about the APFS system and its compatibility with the main game engine and graphic controls. So, before you upgrade, hit Reddit or Google and find out if these troubles have been resolved.
If a force restart doesn’t work and you can’t get your Mac to run the new OS at all, the next step is to try repairing the disk on which it’s installed.
If that doesn’t work, you’ll need to reinstall macOS.
When it’s done, choose Reinstall macOS and select your Mac’s main drive as the destination. Wait for High Sierra to install and restart. When you see the Setup Assistant, choose the option to migrate data from another disk and choose the external disk as the source.
Home > Articles > Apple > Operating Systems
␡Active Directory is Microsoft’s directory services solution that provides LDAP and Kerberos services for identification and authentication. Many organizations with Windows computers use Active Directory because it provides these features:
It is easy to integrate Mac OS X into an Active Directory environment. Although Mac OS X computers can access directory information provided by Active Directory via the LDAPv3 connector, you should use the Active Directory connector, which provides the following capabilities:
In this chapter you will learn how to use System Preferences, Directory Utility, and the command line to bind to Active Directory, and to modify the default settings for the Active Directory connector to enable login and access to a network home folder. You will learn how to overcome problems with your initial bind to Active Directory, and you will learn troubleshooting techniques for login problems with an Active Directory user account.
Mac OS X v10.6 brings numerous improvements to the Active Directory connector, from better caching to improved support for Windows Server 2008 domains.
You can use the Accounts pane of System Preferences, Directory Utility, or dsconfigad to bind a Mac OS X client computer to an Active Directory domain. dsconfigad allows you to configure some features that Directory Utility does not expose, but if you use dsconfigad you need to take some additional steps (such as enabling the Active Directory connector and adding the Active Directory node to your search paths). Before you bind, however, you need to know a few things about your Active Directory service.
When you bind to Active Directory, you need to know the domain name and you must have the credentials of a user who has authorization to join computers to Active Directory.
A domain is the building block of Active Directory; it is a collection of directory objects such as users, groups, and computers. An Active Directory domain requires a domain controller, which can be a computer running any version of Windows Server 2000 through Windows Server 2008. A domain is identified by its DNS namespace; for example, the server windows-server.pretendco.com may be a domain controller for the domain pretendco.com. Active Directory relies on DNS records generated by a DNS service that is tightly integrated with Active Directory, so you should configure Mac OS X to use the DNS service associated with the Active Directory domain before attempting to bind.
A tree is one or more domains in a contiguous name space. A forest is a set of domain trees that have a common schema and global catalog, which is used to describe a best-effort collection of all the resources in a domain. The global catalog is commonly used for email address lookups.
Like standard Windows clients, Mac OS X binds to only one Active Directory domain at a time.
When you bind a Mac OS X client computer to Active Directory, you use or create a computer object for Mac OS X. Just like user objects, computer objects are used for identification, authentication, and authorization. The computer object has rights to do certain things, such as to bind and update its own DNS record.
When you bind a Mac OS X computer to Active Directory, Mac OS X uses the user credentials you supply to set up a computer object and password in Active Directory. This password is a shared secret between your Mac OS X computer and the Active Directory service. Your Mac OS X computer uses this password to authenticate to Active Directory and set up a secure channel to enable your Mac OS X computer to communicate with Active Directory. The password is randomly generated, and it is unrelated to the user account you use to perform the bind. For more information, see the section “Confirming Your Active Directory Connector and the Samba Service Are Using the Same Active Directory Computer Password” in Chapter 8.
If you delete the computer object or reset the computer object password in Active Directory, you need to rebind Mac OS X to Active Directory in order for Mac OS X to access Active Directory.
When you use System Preferences or Directory Utility to bind to Active Directory, you see a suggested computer ID to use for the name of the Active Directory computer object. This computer ID is based on your host name (if you use the Accounts preference) or your Bonjour name (if you use Directory Utility). Regardless of what you enter as a computer ID, Mac OS X will use only the lowercase characters a–z, 0–9, dash (-), and underscore (_), in order for Mac OS X file sharing to be compatible with legacy Windows computers. If your computer name is longer than 15 characters, you may experience errors when binding to Active Directory. Each computer should use the same Mac OS X computer name and Active Directory computer name to help keep track of computer names, unless you have a good reason not to do so.
When binding to Active Directory, you need to supply the credentials of an Active Directory administrator or user who is authorized to create computer objects. By default, you can use a regular Active Directory user to bind to Active Directory ten times, but after that you will encounter an error. “Troubleshooting Binding Issues,” later in this chapter, offers some solutions for this problem.
The simplest way to bind Mac OS X to Active Directory is to use the Accounts pane of System Preferences. The steps are as follows:
This can be any domain in the forest, but remember that the domain name is the DNS namespace of the domain, not the DNS name of the domain controller.
The Network Account Server field now displays a green status indicator along with the name of the Active Directory domain.
If you are bound to multiple directories, the Network Account Server field simply displays the dimmed text Multiple.
Instead of the Accounts preference, you could use Directory Utility to bind to Active Directory, just like you would have with Mac OS X v10.5 and earlier. The process is very similar—you can click the Open Directory Utility button on the Login Options pane of the Accounts preference (shown in the figure below step 4 of the preceding exercise), or open Directory Utility directly from /System/Library/CoreServices/. You must specify the Active Directory domain as you did in the preceding exercise. Directory Utility offers more choices and advanced options, and it will be covered later in this chapter.
Once you bind your Mac OS X computer to Active Directory, you can log in with your Active Directory user account at your Mac OS X login window. By default, when you log in with an Active Directory user account, the following things are true:
Also note that in Mac OS X v10.6, the default preference for the Finder is to not display hard disks and or connected servers, so no items will be displayed on the desktop.
By default, when you are bound to another directory node, the Mac OS X login window also displays the option of “Other.” This allows you to specify a user name from a different directory node, as shown in this figure:
When you select Other, the login window reveals a field for Name and Password.
At the Mac OS X login window, you can use many combinations of the user identifiers “Full name,” “User login name,” or “User login name (Pre-Windows 2000)” from Active Directory, along with other elements of the domain name. Consider the figure below, which shows a user created with Active Directory tools.
You can log in with any of the following names in the Name field in the Mac OS X login window:
When you log in with a user account for Active Directory, by default Mac OS X creates a home folder for the user on the startup volume in /Users/usershortname.
If a directory already exists with that name, Mac OS X will not create a new home folder. You may experience unexpected results because the Active Directory user does not have write permissions to the home folder.
See the section “Transitioning from a Local User to an Active Directory User” later in this chapter, if that is appropriate for your situation.
The default settings do not configure Mac OS X to synchronize the local home folder with a network home folder. If you log in as the same Active Directory user on multiple Mac OS X computers that are configured with the default settings for the Active Directory connector, you will have a different home folder on each computer, and the contents will not be synchronized. To prevent this situation, you can do the following:
The Active Directory connector’s default settings might not meet your needs. For instance, you may want to not force local home folders on the startup volume, or you may want to specify Active Directory groups whose members will be considered local administrators when they authenticate locally on your Mac OS X computer. In this section you will learn how to use Directory Utility and the command line to configure some of the advanced options of the Active Directory connector.
Follow these steps to use Directory Utility to access Active Directory Advanced Options:
The default pane for Directory Utility’s Advanced Options is the User Experience pane.
The first option, “Create mobile account at login,” is disabled by default. A mobile account caches user credentials locally so they can be used when the computer is not connected to the directory node. See the “Understanding Mobile Accounts” section for more details about mobile accounts and synchronized home folders.
The “Force local home directory on startup disk” option is enabled by default. If you enable this option, Mac OS X creates a local home folder in /Users/username when an Active Directory user logs in (unless a local home folder already exists at that location).
There are at least two possible ways to specify a network home folder for an Active Directory user account:
You must specify which file-sharing protocol to use: SMB or AFP (Apple Filing Protocol). SMB is the default setting, so it is easy to use Windows file services to host home folders for Active Directory users who log in to a Mac OS X computer.
Mac OS X has had full support for SMB packet signing since Mac OS X v10.5, a security feature (designed to prevent man-in-the-middle attacks) enabled by default on Windows Server 2003 SP1 and later. Many Windows Server administrators require client computers to use this option, which makes it impossible for computers using earlier versions of Mac OS X to access their SMB share points without installing third-party SMB client software.
AFP offers some advantages over SMB as a file service protocol for Mac OS X client computers: It is faster, native to Mac OS X, supports Time Machine and network Spotlight searching, and handles a wider range of filenames in a mixed environment. Unfortunately, Windows servers do not offer AFP by default.
Although Windows Server 2003 and earlier can offer AFP via Services for Macintosh (SFM), the SFM version of AFP is not current. For example, SFM supports only 31 characters in a filename, which causes a problem when Mac OS X uses a long filename, such as ~/Library/Preferences/ByHost/com.apple.iCal.helper.0017f3e00523.plist. SFM is not recommended for Mac OS X network home folders. If you must use your Windows server for network home directories, consider running a third-party AFP file service, such as GroupLogic’s ExtremeZ-IP, on your Windows server.
You can use a Mac OS X Server to host network home folders for Active Directory users, whether they log in to Mac OS X computers or Windows computers. You can use Mac OS X Server’s AFP service for users who log in to Mac OS X computers, and Mac OS X Server’s SMB service for users who log in to Windows computers. Discourage users from simultaneously logging in as the same user on Mac OS X and Windows computers, because editing the same file over two different protocols simultaneously could corrupt the file.
For more information about offering file services from a Mac OS X Server, see Chapter 4, “Using File Services,” in Apple Training Series: Mac OS X Server Essentials v10.6.
If you use Active Directory tools to define a network home folder (dsAttrTypeNative:SMBHome) for the user, Mac OS X mounts the network volume that contains that Active Directory home folder. Unless you specify otherwise, by default the Active Directory connector creates a local home folder on the startup volume, so Mac OS X mounts the Windows home folder but does not use it as the user’s home folder.
The network folder appears in the Dock, but the volume does not appear on the user’s desktop by default. The default preference for the Finder in Mac OS X v10.6 is to not display mounted network volumes on the desktop. To change this in the Finder, choose Finder > Preferences and select the checkbox for “Connected servers.”
When an Active Directory user with a valid Windows home folder (dsAttrTypeStandard:SMBHome) logs in to a Mac OS X computer that does not have the “Force local home directory on startup disk” option enabled in the User Experience pane of the Active Directory connector, that user’s home folder will be on a network server as expected. You may see question marks in the user’s Dock, which represent the user’s Documents and Downloads folders, which are not created automatically on Windows servers. If the network home folder is hosted on a Mac OS X Server file service, and you configured the Active Directory connector to use SMB rather than AFP, you should create the user’s home folder on the Mac OS X server that hosts the home folder before the user logs in for the first time, so that the user has a home folder with the set of standard folders. By default, Mac OS X Server will create a home folder automatically if a user makes an AFP connection, but not an SMB connection.
If you deselect both the “Force local home directory on startup disk” and “Use UNC path from Active Directory to derive network home location” checkboxes, and an Active Directory user with no valid home folder defined attempts to log in, that user will not be able to log in at the Mac OS X login window; the login window will shake after an unsuccessful authentication and return to the login window.
By default, the Active Directory connector generates a unique user ID, or UID—dsAttrTypeStandard:UniqueID—for an Active Directory user record based on that user’s GUID attribute. The calculated UniqueID is unique across the domain, yet consistent across every Mac OS X computer in the domain. Likewise, the Active Directory connector generates a unique integer for each Active Directory group record as well (dsAttrTypeStandard:PrimaryGroupID).
However, if you have extended your Active Directory schema, or if you have appropriate values populated in the RFC2307 attributes (which are already part of the Active Directory schema in domains hosted by Windows Server 2003R2 and later, but are not populated by default), then you can use the Mappings pane to access these attributes.
Be forewarned that if you change the mappings (after using Active Directory with the default mappings), users may lose access to files that they previously owned or could access.
The Mappings pane, shown in the following figure, allows you to change the mappings for the following standard attributes:
If the Active Directory schema is extended with Microsoft’s Services for UNIX (SFU), and the attributes contain valid values, you can:
If the Active Directory schema has RFC2307 attributes that are populated with valid values, you can:
If the Active Directory schema is extended with Apple object classes and attributes, and the attributes are populated, you can:
The “Prefer this domain server” option is one of the most misunderstood features of the Active Directory connector. If you select the “Prefer this domain server” checkbox and specify an Active Directory domain controller, the Active Directory connector will prefer that server if your Mac OS X computer is contained within the same Active Directory site as the specified domain controller.
Use the “Allow administration by” option to enable any user of the Active Directory groups that you specify to be in the group of local administrators for this Mac OS X computer. This is useful if you create an Active Directory group and populate it with users who should have the authority to administer the Mac OS X computers in your organization. Lashbrender demo mac os.
When you add Active Directory to your search path, Mac OS X automatically adds the node Active Directory/All Domains to your search path by default. If you want to restrict the authentication search path to use specific domains in your forest only, follow these steps:
Unless you specify otherwise, the Active Directory connector creates computer objects in the CN=Computers container with the domain that you join. Depending on the configuration of your domain controller, this may not be correct. For example, some administrators have a special container (CN) or organizational unit (OU) for all Mac OS X computers.
Use the following steps to configure the Active Directory connector to add the computer to the container OU=Macs,DC=pretendco,DC=com. Rather than binding from the Accounts pane of System Preferences, you will bind from Directory Utility’s Active Directory services pane, which offers different binding options.
If you are not already bound to Active Directory, Directory Utility displays the dialog shown in the following figure. If you are already bound, you must first unbind in order to change the location of your computer account (in this case, simply click Unbind).
Directory Utility displays the authentication and Computer OU dialog.
The dsconfigad command is particularly useful for scripting the process of binding to Active Directory, and it offers a way to bind with custom settings in one step. This command has drawbacks, however: It does not enable the connector, nor does it add the Active Directory node to the search paths. You must also use the defaults and dscl commands to accomplish those tasks.
To bind a computer to Active Directory with dsconfigad, collect the following information for the following dsconfigad options:
The commands listed in the following exercise enable the Active Directory connector, bind to Active Directory, and add the Active Directory node to the authentication and contacts search paths:
In this example, the user aduser1 is an Active Directory user object. The -p option makes the output human readable:
If you issue the id command after binding and the result is no such user, wait a few seconds and then try again.
dsconfigad offers much of the same functionality that Directory Utility offers: You can bind, unbind, set configuration options, and show the status of a bind. In addition, dsconfigad offers some functionality that Directory Utility does not offer, such as the following:
A mobile account is a local copy of a network user account, with attributes and credentials synchronized at login if the network node is available. A mobile account allows you to log in even when the network directory node is not available. The mobile account concept is not specific to Active Directory, but the Active Directory connector provides an option to enable Mac OS X to create a mobile account when users log in. This enhances the user experience because it caches other information, such as group membership, about Active Directory. Mobile accounts work well when you synchronize the contents of the local home folder with a network home folder, but this is not automatic.
See the section “Exploring the ‘User Experience’ Advanced Options Pane,” earlier in this chapter, for instructions on configuring the Active Directory connector to configure Mac OS X to create mobile accounts. For more information about home folder synchronization, see the section “Managing Mobile User Accounts,” of Apple Training Series: Mac OS X Server Essentials v10.6, or read Chapter 8, “Managing Portable Computers,” of Mac OS X Server User Management Version 10.6 Snow Leopard.
In any circumstance in which a user account is missing some attributes—for example, because you cannot extend the schema, or you do not have authority to edit the attributes you are interested in—you can always try using the Magic Triangle, in which you use an Open Directory node to supplement data available from the primary node. You learned about this configuration in Chapter 3, in the “Augmenting LDAP Data with Information from an Open Directory Server” section, and it is illustrated in the following figure:
The Magic Triangle configuration lets you apply managed preferences to Open Directory computers and workgroups, and then add Active Directory groups and users to Open Directory workgroups to manage them. See the instructions in Chapter 8, in the section “Preparing Mac OS X Server for the Magic Triangle Configuration.”
Because the Active Directory connector dynamically generates mount records for network home folders, you do not need to provide an additional directory node or mount object to automount an AFP home folder.
Using Active Directory Group Policy Objects is the traditional method for managing Windows users, groups, and computers, but Mac OS X is not compatible with Group Policy Objects. If you want to apply managed preferences to Mac OS X users, you could do any of the following:
If you are connected to multiple directory nodes, and you store managed preferences settings for computers in one node, that is the node that you should configure to be listed before the other nodes in your authentication search path. See Apple knowledge base article TS2528, Mac OS X 10.5: Managed Preferences settings not applied to computer bound to multiple directory services for more information.