A few years ago, before I started at my employer, a project was started for an enterprise-wide Open Directory setup. Each business unit within the university has a decent number of Macs that were mostly unmanaged. The project passed governance and a budget was set aside to fund the implementation. This was back in the Tiger days and for some reason, everyone involved decided to wait for Leopard to be released. In the mean time, I had a Tiger OD setup so we could manage a handful of classrooms that needed to be managed.
When we were ready to get the project going again well after Leopards release, I built an evaluation OD setup and kicked it around a bit. Apple added a great new (at the time) feature that allows computer groups to be members of other computer groups. As well as allowing computers to be members of multiple computer groups. However, because of this, there is no feasible way to manage delegated administration. Computer group nesting is nothing like Active Directory OU’s, there’s no hierarchy structure. Whereas Tiger Server had the ability to give an admin control to only certain computer lists. The change to Leopard meant that if someone needs to manage preferences, add computer accounts or anything else having to do with computer groups, the admin would need to be given full domain admin rights.
In our non-centralized environment, this wouldn’t work. I came to the conclusion that Apple did not design Open Directory for the enterprise. Apple’s typical target market is K-12 and departments within an enterprise (higher education or corporate). We all throw out states like “if Apple wants to compete in the enterprise, they need to do….”. Apple is not an enterprise company, and they don’t pretend to be. Apple makes assumptions about how their customers will use their products. In the case of OD, they assume the IT departments involved are either small and localized or centralized and that everyone works well together.
Often times, enterprises that implement Macs try to bend Apple’s server offerings to fit their environment. Then complain to Apple when it doesn’t bend the way they think it should. This is especially true in higher education, where the customers (faculty and staff) get to choose their platform. Many are going to choose Macs and it is our job to do what we need to do in order to manage them. In the case of OD, it’s just not something that can easily be centralized unless you’re willing to give every admin the equivalent of domain admin. Could you imagine doing that with Active Directory?
So everyone involved decided to not use a central offering. We have recently implemented OD in our area and it’s working really well for us for the most part. Delegation is still an issue as we don’t want everyone to be a domain admin but I’ve developed some methods for computer accounts to be added without granting admin rights on the domain. Stay tuned, I’ll be posting that script soon.
How have you implemented OD in your enviornment? Have you centralized, or localized?