Most networks use Active Directory to provide LDAP services to their network. And with the rise of Macs in the enterprise they need to be able to access the same resources seemlessly that their Wintel siblings do.
- Connect to a directory service. Use a single set of credentials to access network resources by connecting your Mac to a directory service, such as Active Directory.
- One Identity Authentication Services enables Unix, Linux, and Mac OS X systems to use the access, authentication, and authorization of an organization’s existing Active Directory (AD) infrastructure.
Attribute mappings relate to integration with Apple's own LDAP-based directory service similar to Active Directory called Open Directory, which is included with OS X Server. Each Mac contains a.
OS X is a standards based OS making it very flexible. Since Active Directory is simply Microsoft's implementation of LDAP Apple has included a utiltity for binding a Mac to AD. This utility is called Directory Utility.
9 Steps total
Step 1: Open Directory Utility.
Mac Os X El Capitan
In Leopard - Open the Finder and navigate to Applications > Utilities and double click the Directory Utility.
In Snow Leopard - Open System Preferences > Accounts > Login Options > Network Account Server: Join > Open Directory Utility..
In Lion - Open System Preferences > Users & Groups > Login Options > Network Account Server: Join > Open Directory Utility..
Step 2: Authenticate as Admin
Click the lock in the bottom left to unlock the Directory Utility for changes. Enter your local administrator credentials.
Step 3: Add the LDAP/AD Server
Click the + symbol to add a Directory server.
Select Active Directory from the drop down menu.
Enter the AD Kerberos Domain.
The Computer ID autopopulates with your Share preferences setting.
Enter your AD Admin username and password.
Click OK
Step 4: Set Active Directory Services Preferences
Once connected to the domain you will be able to change your AD preferences.
In Directory Utility click the 'Show Advanced Settings' button in the bottom right to show the toolbar.
Select 'Services'.
Select 'Active Directory' and click the Edit button just under the Services list.
Step 5: Services - User Experience
Unbind - Pretty much leave this alone. Removing the Directory server does the same thing.
Create mobile account at login - Creates a local Home folder. If using roaming profiles in AD it will sync this folder to the Home folder on the Windows share.
Require confirmation before creating a mobile account - Prompts users to create the folder. Generally leave this unchecked.
Use UNC path from Active Directory to derive network home location - Gets home folder from users AD profile.
Network protocol to be used: - Generally leave as SMB unless you have an OS X share serving it via AFP.
Default user shell: - Just leave this as is. bash is pretty much the unix standard anyway.
Step 6: Services - Mappings
Unless you have a really good reason to map UID and GID information, leave this alone.
Map UID to attribute - Used to map UID to a uniqueID attribute in Active Directory.
Map user GID to attribute - Used to map user's GID to a primaryGroupID attribute in Active Directory.
Map group GID to attribute - Used to map user's group GID to a gidNumber attribute in Active Directory.
Step 7: Services - Administrative
Prefer this domain server: - If you prefer OS X to authenticate to a specific domain controller enter the DC's FQDN here.
Allow administration by: - I recommend checking this box and leaving it at the default. This allows domain and enterprise admins to manage OS X as though the were local admins.
Allow authentication from any domain in the forest - If you have a large AD forest implementation this setting allows cross-authentication across the entire AD forest.
Step 8: Logging In - User List View
To log into Active Directory with your AD credentials first select 'Other..' Then enter your Windows credentials.
If you've set the Services to create a Mobile User, your Home directory will be created when you first log in. After which your Mobile username will appear in the list. On further logins, use your Mobile username to log in.
Step 9: Logging In - Name and Password (Recommended)
If your admin has set the local preference to use Name and Password, log into Active Directory with AD username and password.
If you've set the Services to create a Mobile User, your Home directory will be created when you first log in and will be connected upon further logins.
Binding OS X to an Active Directory domain is quite simple. Once completed users access network resources using standard Kerberos authentication. After setup has been completed users will be able to access all resources.
Active Directory Mac Os X Server
For password changes and additional “GPO functionality” you will either need to bind to an Open Directory OS X Server for machine management (the Golden Triangle setup, coming later) or use a third party AD binding application that extends Windows AD GPO to manage your OS X Operating system’s machine preferences, such as Likewise or Centrify.
References
- Server Admin 10.5 Help - Configuring Access to an Active Directory Domain
16 Comments
- Pimientotony_farson Feb 22, 2010 at 04:55pm
Awesome! Thanks for this. If you don't mind, I do have a couple of questions..
1. I can successfully bind the client mac to my AD, but when I try to login as any user including domain admin OS X wiggles its screen and makes me try again, all to no avail.
2. I have a couple of users who want to use their existing profiles (settings and files in their home directory on local OS X). Is there a way to identify an existing home folder or an easy way to migrate one to a network user?
Thanks!
- Thai PepperMichael2024 Feb 22, 2010 at 05:36pm
PM’d
- PimientoJoshua5700 Apr 15, 2010 at 06:00pm
I can't wait to see your 'golden triangle' setup article. This one saved me a bunch of time.
- JalapenoFCOE Spice May 10, 2011 at 07:07am
Came to add this article after thinking about how much we wrestled with it. Lo and behold! AND yours is way more comprehensive. Thank you!
- PimientoSinergi Feb 5, 2012 at 05:42am
#5. Would you happen to know if you unchecked 'create mobile account..' & 'force local home..' why it still creates local accounts and mounts the network homes share in the dock?
- HabaneroEdward_Elric Mar 12, 2012 at 11:32am
Brilliant, thanks for this, i've been scratching my head over this for a while
- Cayennemacfixer Dec 12, 2012 at 08:28pm
This is terrific!
Download Adobe Application Manager - A useful patch for a couple of errors that may impede users from downloading trial versions of Adobe software or updating the products. About Adobe Application Manager. Adobe Application Manager (AAM) is a helper application used to manage the installation of many Adobe products. If you have a Creative Cloud membership, the Adobe Application Manager will automatically update to the Creative Cloud desktop app, as long as you are running Mac OS 10.7 or later, or Windows 7 or later. Photoshop for mac free download. Download adobe application manager 10 for free. System Tools downloads - Adobe Application Manager by Adobe Systems Inc. And many more programs are available for instant and free download.
- PimientoHamilton2280 Jan 16, 2013 at 03:59pm
Ok! I'm in need of some help. Ati radeon hd 5770 for mac. I have used this method of binding MACs to AD for about 2 years now. Our main domain controller recently became corrupt. We now have it back up and running but our MACs will no longer talk to it. At the login screen it says 'Network Accounts Available' with a green light, but when the users enter their login info the computer jiggles and denies them access (no errors are displayed). I have removed the computer from AD and then rebound it but no luck. Suggestions to try? Please! I have three MAC labs that are out of commission right now. ;-(
- Sonoraautumnwalker Feb 8, 2013 at 03:23am
Thanks for sharing this! Did the 'golden triangle' article ever get written?
- Pimientodolphan2k Feb 8, 2013 at 05:13pm
I have a user who is going to be traveling for over 10 months, currently the macbook is joined to the domain and he is authenticating to get in. He has a mobile account so he can login outside of the domain , but i am afraid after a long period of no authentication thru AD , the account will not log in. So my question is , does any one know the amount of time or logins allowed MACOSX will use the cached credentials? Or should i just create a local profile and transfer his profile from a domain to a local profile?
- PimientoAnthonyShane Nov 21, 2013 at 12:38am
Great work! Thanks!! Been looking all over for a comprehensive guide to achieving this.
- Thai PepperNelson9480 Jan 21, 2014 at 12:14pm
Great steps! Also I have found that if the user account is not shown at login then check to see if you have added the user account to the Filevault keychain. Ages of empires 3 for mac.
- CayenneDaniel Yu Aug 6, 2014 at 10:16pm
Thank you for sharing. Great job! This is a valuable resource.
- PimientoAlan2999 Dec 17, 2014 at 11:39am
Lets say everything is binded and so on - how do I get the mac password changes to sync with the AD password?
- JalapenoGlenn1741 Mar 5, 2018 at 09:25pm
Does this method still work with Sierra or High Sierra?
- 1
- 2
Apple® has made huge inroads with Mac® systems over the last decade. Mac laptops and desktops have become a popular choice across organizations of all sizes in what was once a market dominated by Microsoft® Windows® systems. However, while Macs have become a common sight in the modern office, Microsoft Active Directory® (AD) has remained the identity provider.
Managing Macs with Active Directory presents challenges. Microsoft never designed AD to support Macs in the same way as Windows, nor are they interested in doing so. As the IT world shifts away from Windows to macOS® and Linux®, a significant number of IT admins want to know the best practices for integrating Macs with Active Directory.
Mac Management with Active Directory Falls Short
IT organizations have traditionally leveraged AD as their identity provider as well as their choice for managing Windows devices. AD offers a number of user and device management capabilities for Windows users and systems. However, the majority of these management capabilities aren’t available for Mac (or Linux). This presents a few major issues for IT admins.
Active Directory For Mac Os X 10.10
The first issue is the lack of full control and management for macOS users. In large part, user management capabilities are limited to user authentication and password management. That means admins often have to implement third party add-ons to have the same level of control for Mac systems as they do for Windows endpoints in a pure AD environment. This not only adds a lot of complexity to user management, but also substantial added costs.
The other issue is the lack of device management capabilities for macOS systems. For example, one of the most powerful is AD’s Group Policy feature. Group Policy refers to a device management feature that enables IT admins to deploy commands and scripts to lock down aspects of the system itself. This could entail setting a screen lock timer or automatic OS updates. Microsoft calls these commands and scripts Group Policy Objects (GPOs).
While GPOs are certainly powerful tools, their effectiveness comes down to two factors. For one, they can only be applied to Windows systems. The other factor is systems must be directly bound to the AD domain. That doesn’t bode well for Macs.
The lack of GPOs for macOS endpoints in an AD environment is only a side effect of a larger problem. While it is easy to forget in the modern heterogeneous IT world, Windows and macOS are competing operating systems. Therefore, it is safe to assume that Microsoft will not be delivering system management capabilities for macOS systems on the same level as Windows endpoints any time soon.
Microsoft is not all that interested in providing support for a competing operating system like macOS. So if you have an organization that is deeply entrenched with AD, yet you’ve got a fleet of Macs to manage, the question has become, “What are the best practices for integrating Macs with Active Directory?”
Secure Remote Work
Get real-world tips to modernize your tech stack & improve remote security at our Sept. 29 webinar with a former General Electric CIO & a RedMonk analyst.
Options for Integrating Macs with Active Directory
Currently, there are three major options for integrating Macs with Active Directory.
Option 1 is to manually connect Macs to AD. This can be done through some configurations and settings. It isn’t necessarily easy, nor scalable, but it can be done. What you don’t get is deep management capabilities as well as the concept of GPOs for Macs nor the full user management capabilities as you do with AD for Windows devices.
Option 2 is to leverage a legacy directory extension technology. These solutions are enterprise-caliber tools that integrate with the on-prem AD server. These solutions are often expensive and further solidify the identity management architecture on-prem, often as IT organizations are making the leap to the cloud.
Option 3 is to utilize a cloud identity bridge. The JumpCloud® Active Directory Integration that comes as part of Directory-as-a-Service® offers a particularly interesting example. This lightweight approach connects AD identities to virtually any resource that can’t be directly bound to the Active Directory domain. That can include not only Mac devices, but remote Windows machines, Linux servers at AWS, True Single Sign-On™ to web applications, WiFi authentication via RADIUS, and much more. This integration with AD federates to a cloud hosted directory service. As part of that directory service, IT admins can have full user and device control over their Mac fleet.
So What is the Best Practice?
Cloud identity bridges offer the greatest flexibility and allow an IT organization bound to AD to be more agile and adaptable as the modern office continues to evolve. AD Integration is unique in that it also offers GPO-like capabilities native to the functionality of Directory-as-a-Service. That means IT admins can set policies on Mac and Linux machines while AD remains the authoritative IdP.
If you would like to know more about the best practices for integrating Macs with Active Directory, drop us a note. You can also sign up for an account and start extending AD today to your Mac fleet. Feel free to contact us if you have any questions.