Open Directory Magic Triangle
Mid to large-size companies commonly use Active Directory to manage their Windows users and computers. When introducing Macs into a Windows environment, companies often ignore Active Directory when managing their Macs. This doesn’t have to be the case, since OS X supports Active Directory right out of the box. When a Mac is connected to Active Directory, users can log in to their Macs using their AD credentials.
Adding Open Directory to the infrastructure creates the Magic Triangle, also known as the Golden Triangle. This configuration offers several benefits. AD users and groups can be added to Mac network groups by Mac administrators. This eliminates a burden on Windows administrators, who probably don’t know the intimate details of OS X administration. The separation of duties is also desirable from a security perspective, since Windows administrators probably shouldn’t be touching Mac groups anyway. Another benefit of the Magic Triangle is the ability to augment AD user records with additional Mac-specific attributes. This is desirable when Windows administrators don’t want to modify AD’s schema to accommodate Mac user accounts.
For those companies that eschew running Open Directory and OS X Server, there are several third-party offerings that provide AD-centric identity management, access control, and single sign-on. These products provide similar functionality to OS X’s native AD connector, but allow Group Policy to manage Macs or other Unix-based machines.