On Mac computers, Centrify Active Directory users are unable to manage their own print jobs. For example, if they attempt to pause, stop, or resume one of their own print jobs, they are prompted to supply the name and password of a user in the “Print Operator” group, otherwise, they cannot continue.
Centrify supplies the group policy, Map zone groups to local group, that you can use to enable all Mac users who are authenticated through Active Directory to manage their printers.
This policy gives members of a specified zone group (an AD group, or AD group that has been added to a Centrify zone) the privileges that belong to members of a local group on the local group. For example, as explained in the following procedure, mapping an AD group to the local
_lpadmin groups, provides members of the AD group with the privileges to manage print jobs on the local Mac computer when they log in.
To map a zone group to local _lpoperator and _lpadmin groups:
For purposes of illustration, this procedure instructs you to create a specific group (MacPrint) and add the users who you want to manage printers on Mac computers to this group. You could also map an existing AD group to the local
_lpadmin groups, or create a new group with a different name.
- On a Windows computer, open Active Directory Users and Computers, select Users and right-click and select New > Group.
- Enter a name for the group, such as MacPrint and select Global and Security.
- Double-click the group, select the Members tab, then click Add and browse for and add the AD users who you want to have printing privileges on the Mac computer.
- Open the Access Manager Console, expand the zone hierarchy and expand the zone containing Mac computers. Expand UNIX Data, select Groups, then right-click and select Create UNIX Group.
- Browse for and select the AD group you crated (MacPrint) and click OK to add it to the zone.
- Open the Group Policy Management Editor and select the GPO that you use for Mac OS X computers. Click Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Accounts, then double-click Map zone groups to local group.
- Click the Policy tab and click Enabled. Click Add and do the following:
In Local Group, type
_lpoperatorto add the printer operators group.
In Zone Group: click Browse then search for and select the AD zone group you created (MacPrint), then click OK to map MacPrint to the printer operators group.
Click Add again and in Local Group type
_lpadminto add the printer admin group.
In Zone Group: click Browse then search for and select MacPrint again to map MacPrint to the printer admin group.
Click OK to save the policy.
The first time users attempts to manage their printer, for example by pausing the printer, they will be prompted for credentials for a user in the “Printer Operator” group. They can simply enter their own name and password. Subsequently, they can manage the printer without supplying credentials.