Mac OS X Server: Access to Active Directory attributes required for computer accounts
Summary
Mac OS X client computer account records created in Active Directory require additional access to certain attributes in order to work as expected.
Products Affected
Mac OS X Server 10.6, Mac OS X Server 10.5
Depending on the Active Directory installation, you may need to make some changes. The simplest configuration is to allow Domain Computer accounts from all domains to read the attributes listed below for "Computer Objects", "User Objects", and "Group Objects". Computer accounts should not have "write" access to these attributes.
For Windows 2000 Default Schemas
c cn company dNSHostName department description displayName driverName facsimileTelephoneNumber givenName homeDirectory homeDrive l lastLogoff lastLogon location mail mailNickname mobile pager physicalDeliveryOfficeName postalAddress postalCode primaryGroupID printerName profilePath pwdLastSet rid sAMAccountName sAMAccountType scriptPath sn st street streetAddress telephoneNumber title url userPrincipalName userWorkstations
For Apple Schema extensions
For Schemas that have been extended to support Apple Schema extensions, all the following attributes should be readable for all record types:
apple-category apple-computeralias apple-computer-list-groups apple-computers apple-data-stamp apple-dnsname apple-dns-domain apple-dns-nameserver apple-group-homeowner apple-group-homeurl apple-home-directory apple-imhandle apple-keyword apple-mcxflags apple-mcxsettings apple-mountDirectory apple-mountDumpFrequency apple-mountOption apple-mountPassNo apple-mountType apple-service-location apple-service-port apple-service-type apple-service-url apple-user-class apple-user-authenticationhint apple-user-homequota apple-user-homesoftquota apple-user-homeurl apple-user-mailattribute apple-user-picture apple-user-printattribute apple-webloguri apple-xmlplist gidNumber ipHostNumber loginShell macAddress uidNumber ttl