In the Directory Utility app on your Mac, click Services. Click the lock icon. Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID). Select Active Directory, then click the Edit button (looks like a pencil).
Most networks use Active Directory to provide LDAP services to their network. And with the rise of Macs in the enterprise they need to be able to access the same resources seemlessly that their Wintel siblings do.
OS X is a standards based OS making it very flexible. Since Active Directory is simply Microsoft's implementation of LDAP Apple has included a utiltity for binding a Mac to AD. This utility is called Directory Utility.
9 Steps total
Step 1: Open Directory Utility.
In Leopard - Open the Finder and navigate to Applications > Utilities and double click the Directory Utility.
In Snow Leopard - Open System Preferences > Accounts > Login Options > Network Account Server: Join > Open Directory Utility..
In Lion - Open System Preferences > Users & Groups > Login Options > Network Account Server: Join > Open Directory Utility..
Step 2: Authenticate as Admin
Click the lock in the bottom left to unlock the Directory Utility for changes. Enter your local administrator credentials.
Step 3: Add the LDAP/AD Server
Click the + symbol to add a Directory server.
Select Active Directory from the drop down menu.
Enter the AD Kerberos Domain.
The Computer ID autopopulates with your Share preferences setting.
Enter your AD Admin username and password.
Click OK
Step 4: Set Active Directory Services Preferences
Once connected to the domain you will be able to change your AD preferences.
In Directory Utility click the 'Show Advanced Settings' button in the bottom right to show the toolbar.
Select 'Services'.
Select 'Active Directory' and click the Edit button just under the Services list.
Step 5: Services - User Experience
Unbind - Pretty much leave this alone. Removing the Directory server does the same thing.
Create mobile account at login - Creates a local Home folder. If using roaming profiles in AD it will sync this folder to the Home folder on the Windows share.
Require confirmation before creating a mobile account - Prompts users to create the folder. Generally leave this unchecked.
Use UNC path from Active Directory to derive network home location - Gets home folder from users AD profile.
Network protocol to be used: - Generally leave as SMB unless you have an OS X share serving it via AFP.
Default user shell: - Just leave this as is. bash is pretty much the unix standard anyway.
Step 6: Services - Mappings
Unless you have a really good reason to map UID and GID information, leave this alone.
Map UID to attribute - Used to map UID to a uniqueID attribute in Active Directory.
Map user GID to attribute - Used to map user's GID to a primaryGroupID attribute in Active Directory.
Map group GID to attribute - Used to map user's group GID to a gidNumber attribute in Active Directory.
Step 7: Services - Administrative
Prefer this domain server: - If you prefer OS X to authenticate to a specific domain controller enter the DC's FQDN here.
Allow administration by: - I recommend checking this box and leaving it at the default. This allows domain and enterprise admins to manage OS X as though the were local admins.
Allow authentication from any domain in the forest - If you have a large AD forest implementation this setting allows cross-authentication across the entire AD forest.
Step 8: Logging In - User List View
To log into Active Directory with your AD credentials first select 'Other..' Then enter your Windows credentials.
If you've set the Services to create a Mobile User, your Home directory will be created when you first log in. After which your Mobile username will appear in the list. On further logins, use your Mobile username to log in.
Step 9: Logging In - Name and Password (Recommended)
If your admin has set the local preference to use Name and Password, log into Active Directory with AD username and password.
If you've set the Services to create a Mobile User, your Home directory will be created when you first log in and will be connected upon further logins.
Binding OS X to an Active Directory domain is quite simple. Once completed users access network resources using standard Kerberos authentication. After setup has been completed users will be able to access all resources.
For password changes and additional “GPO functionality” you will either need to bind to an Open Directory OS X Server for machine management (the Golden Triangle setup, coming later) or use a third party AD binding application that extends Windows AD GPO to manage your OS X Operating system’s machine preferences, such as Likewise or Centrify.
References
- Server Admin 10.5 Help - Configuring Access to an Active Directory Domain
16 Comments
- Pimientotony_farson Feb 22, 2010 at 04:55pm
Awesome! Thanks for this. If you don't mind, I do have a couple of questions..
1. I can successfully bind the client mac to my AD, but when I try to login as any user including domain admin OS X wiggles its screen and makes me try again, all to no avail.
2. I have a couple of users who want to use their existing profiles (settings and files in their home directory on local OS X). Is there a way to identify an existing home folder or an easy way to migrate one to a network user?
Thanks!
- Thai PepperMichael2024 Feb 22, 2010 at 05:36pm
PM’d
Software Downloads. Find program patches, software drivers or firmware for your product. DS-330 Software Downloads. Olympus drivers. OLYMPUS DSS-330 DRIVER FOR MAC - BEEP Note If the alarm playback function has been set, the alarm will sound at the scheduled time even if system sounds are turned off. These five folders can be selectively used to distinguish the kind of recording; for example, might be used to store private information, while H might be dedicated to holding. The DSS Player for Mac is the software that allows users to record, playback, organize and edit dictation files. This Apple Macintosh software also allows secretaries or transcriptionists to transcribe dictations with a compatible Olympus footswitch. Good manipulation of DSS, even WMA files in newer Olympus recorders - inexpensive base software (under $20, sometimes under $10) - if you only manipulate DSS and WMA files from recorders, handy.
- PimientoJoshua5700 Apr 15, 2010 at 06:00pm
I can't wait to see your 'golden triangle' setup article. This one saved me a bunch of time.
- JalapenoFCOE Spice May 10, 2011 at 07:07am
Came to add this article after thinking about how much we wrestled with it. Lo and behold! AND yours is way more comprehensive. Thank you!
- PimientoSinergi Feb 5, 2012 at 05:42am
#5. Would you happen to know if you unchecked 'create mobile account..' & 'force local home..' why it still creates local accounts and mounts the network homes share in the dock?
- HabaneroEdward_Elric Mar 12, 2012 at 11:32am
Brilliant, thanks for this, i've been scratching my head over this for a while
- Cayennemacfixer Dec 12, 2012 at 08:28pm
This is terrific!
- PimientoHamilton2280 Jan 16, 2013 at 03:59pm
Ok! I'm in need of some help. I have used this method of binding MACs to AD for about 2 years now. Our main domain controller recently became corrupt. We now have it back up and running but our MACs will no longer talk to it. At the login screen it says 'Network Accounts Available' with a green light, but when the users enter their login info the computer jiggles and denies them access (no errors are displayed). I have removed the computer from AD and then rebound it but no luck. Suggestions to try? Please! I have three MAC labs that are out of commission right now. ;-(
- Sonoraautumnwalker Feb 8, 2013 at 03:23am
Thanks for sharing this! Did the 'golden triangle' article ever get written?
- Pimientodolphan2k Feb 8, 2013 at 05:13pm
I have a user who is going to be traveling for over 10 months, currently the macbook is joined to the domain and he is authenticating to get in. He has a mobile account so he can login outside of the domain , but i am afraid after a long period of no authentication thru AD , the account will not log in. So my question is , does any one know the amount of time or logins allowed MACOSX will use the cached credentials? Or should i just create a local profile and transfer his profile from a domain to a local profile?
- PimientoAnthonyShane Nov 21, 2013 at 12:38am
Great work! Thanks!! Been looking all over for a comprehensive guide to achieving this.
- Thai PepperNelson9480 Jan 21, 2014 at 12:14pm
Great steps! Also I have found that if the user account is not shown at login then check to see if you have added the user account to the Filevault keychain.
- CayenneDaniel Yu Aug 6, 2014 at 10:16pm
Thank you for sharing. Great job! This is a valuable resource.
- PimientoAlan2999 Dec 17, 2014 at 11:39am
Lets say everything is binded and so on - how do I get the mac password changes to sync with the AD password?
- JalapenoGlenn1741 Mar 5, 2018 at 09:25pm
Does this method still work with Sierra or High Sierra?
- 1
- 2
Binding a mac to Active Directory requires a number of important factors to be in place. Namely (but not in any particular order):
You must use an account that has authority to bind computers to AD.
'Standard' user accounts are not usually accorded the privilege.
DNS must be 'perfect'
Some AD structures require computers to be placed in organisational units or OUs before login is allowed.
Did you check if this was the case for your environment?
DNS must be 'perfect'
Active Directory provides a Single Sign On environment. In such an environment time is extremely important. Configure your mac to keep its time using the Domain Controller's IP address. Set this using the Date & Time preferences pane.
Hacer un usb de arranque para mac. Did I mention DNS must be 'perfect'?
How do you check DNS is perfect? Find out if the domain is based around .local first; ie: server.mycompany.local. If it is, you will have problems that won't ever be resolved in any lasting way other than asking the network administrators to change it to something else.
If it isn't try and resolve the DC's hostname on both the forward and reverse pointers. Using server.mycompany.com as an example of the DC's hostname, launch terminal on your mac and issue this command to test the forward pointer:
host server.mycompany.com
If it returns an address similar to 10.10.10.10, stay in terminal and issue this command to test the reverse pointer:
host 10.10.10.10
It should return the server's name you used in the first command.
Beyond the above have a conversation with the administrators of the network and outline what you're trying to do. They should be willing and able to help you. If they're not then you've problems that go way beyond the issue you've outlined here.
Hopefully this may help?
Jun 5, 2015 3:40 AM