install the standard base OSX image
run sw updates (current image tested is using 10.5.7)
install additional software as requested
via terminal – defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
open accounts, login options. Display login window as Name and Password. (I also removed the ituneshelper app from the admin login items)
set wallpaper for admin account
add tech coordinator account
added keychain access & directory utility to admin toolbar
open directory access. It should come up and say no directory servers. Add Active Directory. Use the std domain without dc1 or any other subdomain and any tech with rights can enter their own creds for the binding. Leave the computer ID as is.. this should already have the correct workstation name from the login hook’s workstation renamer script.
Show Advanced Settings and go to Services
Open the Active Directory selection and show advanced options
select Create Mobile account at login and verify that smb is used. (all others should already be checked)
go to administrative tab and check ‘Allow Administration by’, and add the Shop Guys group to the existing list.
Go to the LDAP selection and create a new ldap connection. specify the od server. When it asks about binding, do NOT enter credentials as we do not want to bind to the od server, simply click continue then ok. Change the LDAP mappings to Open Directory Server.
for a quick check, open keychain access and under the keychain access pulldown, open the kerberos ticket viewer, create a new ticket and enter your credentials.
logout and login using a shop guy acct.
run dsconfigad -mobileconfirm disable
login under a test account. 🙂 you should not be prompted to create a mobile account.. it should just happen.
before imaging, unBIND from AD.