Changing the Machine Password Interval on a Mac and Windows

Sometimes when a user can not log into their computer (shaking login) the problem is with the machine password and not the user account password.  By default Windows machines reset their machine password every 30 days but Macs do so every 14.  If a computer is on the network but can not connect to a DC at its password change interval it can subsequently prevent the user from logging in and/or changing their password from the computer. 

To change the machine password interval on a Mac you must first unbind the computer and then follow these steps:

http://support.apple.com/kb/HT3422

Setting the passinterval to "0" is the recommended fix.

Keep in mind that having a computer never reset its password poses a potential security risk because the security channel between the computer and the DC will never be reset.  This means that if someone discovers the machine password they could perform pass-through authentication directly to a DC.

Here is a good article describing the entire machine password change proces:

http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

And here is Microsoft's KB on the process for PCs:

http://support.microsoft.com/kb/154501

Snow Leopard: Allowing standard users to add printers

In Snow Leopard standard users are not allowed to modify the print queues.  Apple has a work-around in this KB article:  http://support.apple.com/kb/HT3511

Run this command:

dseditgroup -o edit -n /Local/Default -u admin -p -a student -t user lpadmin

Where "admin" is the short name for the local admin account and "student" is the name of the user

How to configure a hidden account that has ARD access and also must request control from the user

I was asked to create a hidden account that had remote control access through ARD but that also had to request permission from the user before being allowed access to the computer

Running the following in ARD/Unix using the root account will create a hidden standard account called "hidden", set the password to "Hidden123", turn on "request permissions to observe/control" and add the account to the Remote Management "allowed users" list:

dscl . -create /Users/hidden
dscl . -create /Users/hidden UserShell /bin/bash
dscl . -create /Users/hidden RealName "hidden"
dscl . -create /Users/hidden UniqueID 499
dscl . -create /Users/hidden PrimaryGroupID 1000
dscl . -create /Users/hidden NFSHomeDirectory /Local/Users/hidden
dscl . -passwd /Users/hidden Hidden123
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users hidden -privs -none -clientopts -setreqperm -reqperm yes

A "UniqueID" lower than 500 will create a hidden account.

To remove the account (run as root through ARD):

dscl . -delete /Users/hidden

This works for Leopard and Snow Leopard

Cannot exit Snow Leopard Screen Saver with AD credentials

On bound Macs there is a problem where a computer that has been left on, with the screen saver active, for more than 10 hours has its Kerberos ticket expire.  If this happens a user is unable to unlock the screen saver using their AD credentials.

Here is the KB article from Apple on how to fix this problem:

http://support.apple.com/kb/TS3287