Managing Mac policies using Workgroup Manager and Active Directory (Part 2)
Part 1, 2, 3
Microsoft Group Policy
In Figure 2, we see how the Microsoft Group Policy Management Console and Group Policy Object Editor have been used to create a GPO named Marketing Policy and to associate it with the Marketing OU.

The GPO can contain both Windows– and non-Windows–related settings. The yellow folders at the bottom of the GPO editor are used to set Windows settings. The blue folders have been added by Likewise to extend Group Policy to support non-Windows computers and users. The bottommost blue folder contains Mac-specific settings, including support for Workgroup Manager. If you double-click this entry, you can enable Mac Workgroup Manager to store settings in the GPO (Figure 3).

Using Mac Workgroup Manager with AD
Now that we’ve created a GPO with the Group Policy Management Console and have enabled it for use with Mac Workgroup Manager, let’s use Workgroup Manager to store some settings in it.
To do this, on a Mac that is joined to Active Directory, we run Workgroup Manager from the Applications/Server location. If you don’t have Workgroup Manager, you can download it from http://support.apple.com/downloads/Server_Admin_Tools_10_5_6 (check first to see if there is a more recent version).
When Workgroup Manager comes up, it is viewing the “local†directory node which can be used only to make local settings for the computer on which you’re running Workgroup manager. To connect it to Active Directory, click on the blue “globe†icon. This will display a multi-column dialog where you can select “Likewise - Active Directory†and then a specific GPO that has been enabled for use with Workgroup Manager. The Workgroup Manager address bar will change to indicate the GPO that’s being edited but will specify that you’re “Not Authenticatedâ€. To be able to store settings in the GPO, click on the “lock†icon. You will be prompted to enter valid Active Directory credentials to access the GPO. Typically, this account will need to have AD Domain Admin privileges or other privileges sufficient to write group policy settings into the directory. Once authenticated, Workgroup Manager can be used to edit preferences as usual. In Figure 4, we’ve selected the Marketing Policy object and can now specify the Workgroup Manager settings to be stored in the GPO.

In the left pane, we’ve selected the Group of Computers tab to apply settings to computers managed by the Marketing Policy GPO, in other words, the computers in the Marketing OU. We could also have selected the Group of Users tab to specify settings that would apply to users affected by the GPO (users in the Marketing OU). Likewise Enterprise does not support Workgroup Manager settings applied to individual users or computers, only to groups of such.
In the right pane in Figure 4, we’ve specified a message to be displayed at logon.
If we return to the Group Policy Management Console now and select the Marketing Policy GPO, we can click on the Settings tab to see what settings are present in the object (Figure 5). We can see that the logon message setting is now present in the GPO.

Because the Workgroup Manager settings are stored in a Windows GPO, the Group Policy Management Console can be used to manage them. For example, the Console can backup and restore a GPO that contains Workgroup Manager settings.