locked
Add MAC attribute to computer account RRS feed

  • Question

  • Want to add the attribute apple-computer to my macs using powershell if possible.

    Has anyone ever done that.

    Any ideas.

    Dave


    Dave Kozlowski
    • Moved by Richard MuellerMVP Friday, February 3, 2012 6:10 PM Script is not the solution (From:The Official Scripting Guys Forum!)
    Tuesday, January 31, 2012 11:39 AM

Answers

  • First, the information jv found seems to indicate that there is not a scripting solution. More likely, the schema was extended after the Macs were joined to the domain, which is probably not supported.

    Also, it looks like the schema extension created a new class of object, call apple-computer.

    Finally,  when you say that several computer names can be added to the attribute, that doesn't answer my questions. I don't know what object has this attribute. I don't know if it is a single-valued string attribute with NetBIOS names separated by commas, or a multi-valued attribute where each computer name is a separate entry (like an array or collection).

    When you add the computers under edit, what object are you editing? Is it a normal AD computer object, or a new "apple-computer" object?

    I think you need the assistance of someone familiar with adding Mac's to AD domains and the schema extensions you have. If no one in the Directory Serivces forums can help, you need to ask in an Apple forum.

     


    Richard Mueller - MVP Directory Services
    Friday, February 3, 2012 7:40 PM
  • you can add as many computers to this attribute

    As computername$  exampe   davemac$

    You can add them individually under edit but I have hundreds of computers I want to know what the actual attribute is since there is no tab

     

    Dave


    Dave Kozlowski


    This attribute is for use by teh MAc utilities and LDAP tools.  It is not intended to be edited manually.

    The machines should be listed as apple-computer class of objects.  The way we identify macs is through the objectClass attribute as I posted above.

    Please ask your questions ina  MAC OpenDirectory forum at Apple.  They will walk you through how to fix or use your Apple machiens in an AD domina.

     

     


    jv
    Friday, February 3, 2012 8:31 PM

All replies

  • AFAIK, Powershell does not work on non-Windows platforms natively.  There appears to be an open source version that is designed to address your question though (PASH) -- see:  http://blogs.msdn.com/b/powershell/archive/2008/04/08/powershell-on-linux-solaris-mac-etc.aspx

    But even if you can't get that to work, all you need is whatever native scripting language is supported on macs (perl? python? dunno...), a couple of LDAP calls to your local active directory, and that's it.

    Tuesday, January 31, 2012 2:30 PM
  • I think the OP means an attribute in Active Directory called "apple-computer".  This would require modifying the AD schema, which I don't know anything about.
    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Network Live Audit - Powershell script
    Tuesday, January 31, 2012 2:32 PM
  • meh... I took it as updating some attribute that already existed (like description)

    Tuesday, January 31, 2012 3:28 PM
  • I think the OP means an attribute in Active Directory called "apple-computer".  This would require modifying the AD schema, which I don't know anything about.
    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Network Live Audit - Powershell script

    You cannot ass a MAC to Active Directory.  You cannot create a computer account in AD that will support a MAC.

    You can create a custom object class and manually manage it but it will not be very useful for anything.

    You say you want to add the attribute to your MACs?  Attributes are stored in Active Directory not on a MAC.  Any attribute in AD would not have any affect on a MAC and any thing defined on a MAC would not show up in AD.

     

     


    jv
    Tuesday, January 31, 2012 7:12 PM
  • You cannot ass a MAC to Active Directory.  .

    Sorry Jv but I don't understand the sentence (my english is not good) . Can you explain me?

     


     

    Gastone Canali >http://www.armadillo.it





    Wednesday, February 1, 2012 12:12 AM
  • Notice on the keyboard the letter "d" is next to the letter "s". I'm sure jrv  meant "add".

    I know in the past that you could add MAC computers to an AD domain, but I never did, and I know nothing about it. If MAC's can be added to a domain, I would assign a value to an existing attribute, like description or comment, rather than adding a new attribute to the schema. Changes to the schema cannot be un-done, and usually are not necessary.

     


    Richard Mueller - MVP Directory Services
    Wednesday, February 1, 2012 1:19 AM
  • You cannot ass a MAC to Active Directory.  .

    Sorry Jv but I'dont understand the sentence (my english isnot good) . Can you explain me?

     


     

    Gastone Canali >http://www.armadillo.it





    Gastone - you are correct you cannot ASS a Mac to AD.  Worse thanthat you cannot 'add' a Mac to AD.

    I am glad you agree with me.

    I guess my English is not so good too!

    Unfortuantely - - - non parlo l'italiano molto bene.....  Aunque entiendo algo de español...

    Es dificil la lingua.. No?

    Es muy dificil la computador. Y - es difícil de manejar el teclado. Lo siento.

    Mucho suerte hermano Italiano.

     

     


    jv
    Wednesday, February 1, 2012 1:49 AM
  • Wrong.  You absolutely can domain join Mac OS systems.   And linux for that matter.  Samba and Kerberos are publicly available and work on those systems and that's all you need.  

    Computers in AD are essentially users and any computer that has the password and presents it in the right way can join the domain. 

    Wednesday, February 1, 2012 1:19 PM
  • Wrong.  You absolutely can domain join Mac OS systems.   And linux for that matter.  Samba and Kerberos are publicly available and work on those systems and that's all you need.  

    Computers in AD are essentially users and any computer that has the password and presents it in the right way can join the domain. 


    Look at the computer account created and it will tell you the OS if you are using Samba.

    The OS type is part of the computer account object.  Under Linux it shows the Linux vendor version or custom build name. I am not sure what it wwill show for a MAC.

     

     


    jv
    Wednesday, February 1, 2012 2:15 PM
  • Not sure how to add an attribute via powershell...

     

    But if you want to modify the schema to include a apple-computer attribute you can probably then modify it with powershell.

    SCHEMA MODIFICATIONS ARE NOT RECOMMENDED 

    1.log on to the Schema Master domain controller

    2. open powershell

    3. allow schema editor 'regsvr32 schmmgmt.dcll'

    4. run mmc

    5. add "Active directory schema" snap-in

    6. right click attributes and "Create Attribute"

    7. make name something like "is_mac" or "apple-computer" probably with type boolean. !!! not super familiar with this so do some research before creating this

    8. Expand "classes"

    9.  right click "computer"  and add the attribute you created

     

    Now you should be able to modify that attribute's true/false state using "Set-ADObject -add" or "Set-ADObject -replace"  but i haven't tested this with a custom attribute.

     

    Hope this helps a bit!

    • Proposed as answer by jcriswell Wednesday, February 1, 2012 7:14 PM
    Wednesday, February 1, 2012 7:14 PM
  • Unfortuantely - - - non parlo l'italiano molto bene.....  Aunque entiendo algo de español.

    non mi sembra...

    Es dificil la lingua.. No?

    Es muy dificil la computador. Y - es difícil de manejar el teclado. Lo siento.

    Mucho suerte hermano Italiano.


    Alla prossima e buona fortuna anche a te.  Cual es el tu idioma nativo? 
    Gastone Canali >http://www.armadillo.it
    Wednesday, February 1, 2012 8:06 PM
  • jv: this is how a mac will show in AD:

    We support about 17,000 macs in our win2k8 r2 domain with the so-called 'Apple schema extension'.  Things work fine, just don't do anything too fancy.  Trust me, don't expect the Apple Engineers will come to your rescue if things don't work the way you want.

    If money's not an issue, go for what's called a "magic triangle" design.

    http://support.apple.com/kb/HT4687

    Wednesday, February 1, 2012 8:24 PM
  • jv: this is how a mac will show in AD:

    We support about 17,000 macs in our win2k8 r2 domain with the so-called 'Apple schema extension'.  Things work fine, just don't do anything too fancy.  Trust me, don't expect the Apple Engineers will come to your rescue if things don't work the way you want.

    If money's not an issue, go for what's called a "magic triangle" design.

    http://support.apple.com/kb/HT4687


    Thanks - The OS is fully added to the AD and is identifiable as a separate OS.  I suspect there is a system type in there somewhere too.

    There is no need to add to the schema.  The MAcCschema extensions already do that.  I wonder if it is possible to join without installing the schema extensions.

    For other vendor products that support non-Microsoft OSs we can find a number of slightly different approaches although all follow the LDAP standards as far as I know.

    All questions like this should be posted in the AD forum.  I suspect there would be better and broader support there.

    What about `Samba'?  It has been around since NT 3.5 I believe.

     


    jv
    Wednesday, February 1, 2012 9:53 PM
  • Unfortuantely - - - non parlo l'italiano molto bene.....  Aunque entiendo algo de español.

    non mi sembra...

    Es dificil la lingua.. No?

    Es muy dificil la computador. Y - es difícil de manejar el teclado. Lo siento.

    Mucho suerte hermano Italiano.


    Alla prossima e buona fortuna anche a te.  Cual es el tu idioma nativo? 
    Gastone Canali >http://www.armadillo.it

    Gastone - English.  My Spanish is getting lost because I don't travel to South America anymore.  The ear looses its sensitivity and the brain stops switching languages automatically after about a year.

    Half of my family is Portuguese.  The reat are a bunch of muts like me.

     


    jv
    Wednesday, February 1, 2012 9:57 PM
  •  JV

    The reat are a bunch of muts like me

     

     

    The line above is more difficult then "cannot ASS a Mac ",  I tried google translator, but crashed :)

    Ciao


    Gastone Canali >http://www.armadillo.it
    Friday, February 3, 2012 12:13 AM
  • Gastone - sorry for the typo.

    The rest are a bunch of muts like me.

     

    One stupid letter and communistaion becomes impossible.  I hope we never meet teh Martians.

     

    Il resto sono un sacco di muts come me.

     

    Hai capito 'mutts'?


    jv
    Friday, February 3, 2012 12:29 AM
  • Here is my question

    In AD we have an OU call MacWorkstation with a container called Desktop

    On the properties of Desktop under edit attributes there is an attribute called  Apple-Computers

    Here you can add apple computers manuall one at a time

    I want to be able to some how add a bulk of computers.  We have hundreds of macs and it would be easier to batch this somehow.

    Since is not a normal Microsoft attribute not sure how to do this

    Dave


    Dave Kozlowski
    Friday, February 3, 2012 11:08 AM
  • Here is my question

    In AD we have an OU call MacWorkstation with a container called Desktop

    On the properties of Desktop under edit attributes there is an attribute called  Apple-Computers

    Here you can add apple computers manuall one at a time

    I want to be able to some how add a bulk of computers.  We have hundreds of macs and it would be easier to batch this somehow.

    Since is not a normal Microsoft attribute not sure how to do this

    Dave


    Dave Kozlowski


    Are you saying that you want to find all Mac computer objects and move them to a specific OU named Desktop?

    Is this the approximate name of the 'container'? 
               CN=DeskTop,OU=MacWorkStation,DC=domain,DC=com

    $targetCN='CN=DeskTop,OU=MacWorkStation,DC=domain,DC=com'
    get-adcomputer `
           -ldapfilter '(operatingsystem=*mac*)' `
           -properties operatingsystem |
         Move-AdObject -TargetPath $targetCN
    
    

     

    This comamnd should move all computers that have the MAC operating system installed to the target container.

     


    jv


    • Edited by jrv Friday, February 3, 2012 4:29 PM
    Friday, February 3, 2012 4:24 PM
  • We need to clarify. You have an OU called "OU=MacWorkstation". In this OU you have a container (not an OU) called  "CN=Desktop". This container has an attribute called "Apple-Computers" that you want to modify. The attribute is multi-valued, so you can add as many computer names as desired. Is this a DN attribute, where the values must be valid distinguished names? Or should the values be the NetBIOS names of the computers? Also, is it really a multi-valued attribute, or is it similar to the userWorkstations attribute (which shows up on the "Account" tab of user properties in ADUC). The userWorkstations attribute is actually single valued. The value is a comma delimited list of computer names (the NetBIOS names of the computers).

    I'm sure you can script to populate the "Apple-Computers" attribute, but we need to understand it first.

     


    Richard Mueller - MVP Directory Services
    Friday, February 3, 2012 4:48 PM
  • We need to clarify. You have an OU called "OU=MacWorkstation". In this OU you have a container (not an OU) called  "CN=Desktop". This container has an attribute called "Apple-Computers" that you want to modify. The attribute is multi-valued, so you can add as many computer names as desired. Is this a DN attribute, where the values must be valid distinguished names? Or should the values be the NetBIOS names of the computers? Also, is it really a multi-valued attribute, or is it similar to the userWorkstations attribute (which shows up on the "Account" tab of user properties in ADUC). The userWorkstations attribute is actually single valued. The value is a comma delimited list of computer names (the NetBIOS names of the computers).

    I'm sure you can script to populate the "Apple-Computers" attribute, but we need to understand it first.

     


    Richard Mueller - MVP Directory Services

    Rich - this is where I got confused.  The OP says he wants to MOVE the computers to this container by editing the property?

    The property is a boolean I believe..  It notes that teh container has apple computers and is used for LDAP management from teh MAc LDAP tools.  I believe it is yused for searching for teh computers container or containers that would contain Macs.

    Of course we do not know if the OP has installed the schema extensions and we do not know what teh exact question is.

     


    jv
    Friday, February 3, 2012 5:04 PM
  • So far I have found nothing documenting an "apple-computer" attribute, or the schema extensions for Mac's (except that there is such a thing).

     


    Richard Mueller - MVP Directory Services
    Friday, February 3, 2012 5:12 PM
  •  

    Here are the 'Apple' schema exensions if Apple LDAP is being used:
    http://support.apple.com/kb/HT4687

    These extensions and modifications must be in place BEFORE joining MACs to the domain.  If this is done the MAcs should end up in the correct default computers OU.

    The computer accounts will all then also have the extended attributes that tag it as a MAC or OS-X machine.

    I will try and contact someone who has this set up correctly to see if there are any other gotchas.

    My point is that there is no need to modify the schema to determine which computers are MAC OS machines.

    If the schema extensions were not installed and the computer accounts manually created then the whole implementation will ultimately fail.  If this is the case then be sure the schema extensions are installed and correctly modified in  AD then rejoin the machines but be sure to delete the computer accounts before rejoining.  When joined the computer account objects should have all of the schema extensions properly populated.

    This is the same set of issues that occur when joining Unix boxes using any third party tool.  It is also pretty much true for an implementation of X.500 Directory services such as IBM and Novell. 


    jv
    • Edited by jrv Friday, February 3, 2012 5:15 PM
    Friday, February 3, 2012 5:14 PM
  • To add to the confusion is the apple docs.  They always seem to address the computer from the MAC computers perspective and tools.

    http://www.seminars.apple.com/contactme/pdf/L334436B_ActiveDirect_WP.pdf

    There is little about what happens on the AD side bu following the instructins will get you an apple computer account set up correctly in AD.

    Note also that the MAC extensions give you macAddress which will not be populated on non-mac machines.

    The latest shema documents apple-computer as a schema attribute that identifies an apple computer.  It is the objectClass:

    Example: &(objectClass=apple-computer)

    apple-computer
       subclassOf: top
          rdnAttId: cn
          mayContain: apple-category
          mayContain: apple-computer-list-groups
          mayContain: apple-hwuuid
          mayContain: apple-keyword
          mayContain: apple-mcxflags
          mayContain: apple-mcxsettings
          mayContain: apple-networkview
          mayContain: apple-service-url
          mayContain: apple-xmlplist
          mayContain: macAddress

    See: http://www.sticts.ch/MacWindows/Modifying_the_Active_Directory_Schema.pdf

    That is a starter but you should find the PDF on the Apple support site as the one posted here is over 2 years old.

    Again - the schema is extended to support all normal and reasonable requirements of LDAP. 


    jv
    Friday, February 3, 2012 5:46 PM
  • Not wanting to spoil the party, but this isn't a scripting question anymore.  It hasn't been for some time.  I'm sure you'd agree this would be better discussed in Directory Services forum.
    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Network Live Audit - Powershell script
    Friday, February 3, 2012 5:51 PM
  • Not wanting to spoil the party, but this isn't a scripting question anymore.  It hasn't been for some time.  I'm sure you'd agree this would be better discussed in Directory Services forum.
    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Network Live Audit - Powershell script


    I agree but believe this is really an Apple MAC forum issue.  These are Apple extensions.  The AD group may not be up to speed although it wouldn't hurt to post over there.

    In the beginning it was never ascripting question.  I also stated that it should not done as teh APle scema extensions were what was at issue.

    From the question the OP is not a Windows tech so it is best to ask in the Apple support forum because they speak fluent MAc.  The OP is asking to add to a container thinking that the container is what defines the computer account.  The MAC instructions make it seem that way becuse they refer4ence the computer account as if it is on teh local MAC instead of in AD.  This is 'Open Directory' speak which is not even a dialect of Windows Active Directory.

    It has been a couple of years since I worked with MACs.   Ihad a sharp admin on one project who knew AD and Apple andcould query up anything from the MAC or from Windows with teh command line tools. (ADtools).  I never learned the details becuase ther was no need to  I just know we didn't do anything special to install 15 MACs and the admin prepped AD with the schema extensions before we began.

    Someone could/should, as you suggested, move this to the AD forum.

     


    jv
    Friday, February 3, 2012 6:07 PM
  • you can add as many computers to this attribute

    As computername$  exampe   davemac$

    You can add them individually under edit but I have hundreds of computers I want to know what the actual attribute is since there is no tab

     

    Dave


    Dave Kozlowski
    Friday, February 3, 2012 6:27 PM
  • No!

    I don't know the meaning of "mutts"

    Ciao


    Gastone Canali >http://www.armadillo.it
    Friday, February 3, 2012 7:20 PM
  • A mutt is a crossbreed of dog, also called a mongrel.
    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    Network Live Audit - Powershell script
    Friday, February 3, 2012 7:26 PM
  • First, the information jv found seems to indicate that there is not a scripting solution. More likely, the schema was extended after the Macs were joined to the domain, which is probably not supported.

    Also, it looks like the schema extension created a new class of object, call apple-computer.

    Finally,  when you say that several computer names can be added to the attribute, that doesn't answer my questions. I don't know what object has this attribute. I don't know if it is a single-valued string attribute with NetBIOS names separated by commas, or a multi-valued attribute where each computer name is a separate entry (like an array or collection).

    When you add the computers under edit, what object are you editing? Is it a normal AD computer object, or a new "apple-computer" object?

    I think you need the assistance of someone familiar with adding Mac's to AD domains and the schema extensions you have. If no one in the Directory Serivces forums can help, you need to ask in an Apple forum.

     


    Richard Mueller - MVP Directory Services
    Friday, February 3, 2012 7:40 PM
  • you can add as many computers to this attribute

    As computername$  exampe   davemac$

    You can add them individually under edit but I have hundreds of computers I want to know what the actual attribute is since there is no tab

     

    Dave


    Dave Kozlowski


    This attribute is for use by teh MAc utilities and LDAP tools.  It is not intended to be edited manually.

    The machines should be listed as apple-computer class of objects.  The way we identify macs is through the objectClass attribute as I posted above.

    Please ask your questions ina  MAC OpenDirectory forum at Apple.  They will walk you through how to fix or use your Apple machiens in an AD domina.

     

     


    jv
    Friday, February 3, 2012 8:31 PM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support 

    If you are TechNet Subscription  user and have any feedback on our support quality, please send your feedback here .


    Arthur Li

    TechNet Community Support

    Monday, February 6, 2012 6:40 AM