Monday, January 5, 2009

Binding Macs to OD and AD, Security Requirments

While scripting binding to my AD and OD servers, I wanted to increase security of the accounts that are used. Each of the directory servers does this a little differently.

Bind to OD

For security purposes, it's not a great idea to script binding with the administrator account. This is what is commonly done with restrictions on the disk image and scripts. This is how I have done it up to this point too. Being overly paranoid and wanting to leave a respectable legacy, I looked into binding with an account that's less than super-admin.

After testing it out, I can use a simple access account (without administrator privileges) to bind machines to OD. This solves my issues with using a privileged account. I am also changing the passwords monthly.

Bind to AD

Again, binding to AD has the same issues with using a Domain Administrators account. To solve this, I used this article to create an account that is only allowed to bind/unbind machines.

Also, this is a nice GUI to binding on first boot:

Thanks to Jody for the AD side!

No comments: