Joining a Mac to a Windows Active Directory

Mac and Active DirectoryWe picked up a few new 17″ MacBook Pro’s at work. We’re a Microsoft shop, so Mac’s aren’t part of the basic knowledge for our IT staff, myself included. I don’t want to be the Windows guy who says “I don’t do Macs” – part of being a technologist is serving the user base where they are at with the technologies they require to do their job (but please, included me in determining your requirements and technological solutions – a Mac might be really cool, but might not fit with the organizations needs or your IT group’s ability to support your solution). Really, that’s what Web 2.0 is all about – compatible, interchangeable tools that offer customized functionality for the users’ abilities and needs. Come to think of it, that’s what VMware is all about too – the right resources in the right place at the right time, independent of underlying hardware, application/OS agnostic, able to rise above local shortcomings by pushing to the cloud….

To be fair, I was issued a Mac at a previous company, but didn’t care much for it as the programs I had to run for my job were Windows based. I ran VMware Fusion, but it could only take me so far – funny things start to happen when you are in a VM, RDC’ing to a client server, opening the VI client and console’ing to a VM. Shortcut keys behave strangely, and one can only create so many alternate key mappings before going insane. It wasn’t the right tool for me and my job, but Macs do serve some purposes very well – graphic design and iPhone app development in my current case.

I didn’t have a requirement to do much customization the new Mac’s, but they did have to allow users to authenticate to the current Microsoft Windows Active Directory Domain. I hit a few snags as I went through the process, including making domain users local administrators and allowing domain users to log in to the Mac while off-line. Here is what I came up with for a final process in my environment – adjust according to your needs:

1.) Configure OS X to talk to the Active Directory

  • Using Spotlight (LeftCommand+Space), open the ‘Directory Utility’
  • Switch to the Services tab
  • Tick the box next to Active Directory plug-in (Note: You may have to click the lock icon to make configuration changes).
  • Highlight the Active Directory plug-in and click the Configure icon (pencil icon).
  • Enter an Active Directory Domain, using the FQDN (example: mydomain.local)
  • Enter a Computer ID.  This ID will be used to create a computer object in the AD.
  • Expand Advanced Options:
    • On the User Experience Tab:
      • Check the box for ‘Create mobile account at login’.
      • Uncheck the box for ‘Require confirmation before creating a mobile account’.
      • Choose the ‘Use UNC path from Active Directory to derive network home location’ if your AD is set to map a user’s home location to a UNC and/or DFS path; if not, you may want to uncheck this option.
    • On the Administrative tab:
      • Check the box for ‘Allow Administration By:” and then Add the Active Directory ‘domain admins’ and ‘enterprise admins’ group
      • Check the box for ‘Allow Authentication from any domain in the forest’ if appropriate for your environment
  • Click the Bind button and enter credentials for an account with permissions to join the domain on the Active Directory domain you are joining.  Note: The computer account may appear in the default AD ‘Computers’ container even if the redircmp utility was used on the domain to change the default Organizational Unit (OU) of new computers joining the domain.
  • Click OK.
  • Verify that the Active Directory Domain that you configured correctly appears with a green dot on the ‘Directory Servers’ tab of the Directory Utility.
  • Close the Directory Utility.

2.) Configure basic login options

  • Open the Accounts tool from Apple | System Preferences | Accounts
  • Click Login Options (Note: you may have to click the lock icon to allow changes to be made).
  • Configure the Login Options settings as follows:
    • Automatic Login: Disabled
    • Display login windows as: Name and Password
    • Check the box for Allow network users to login to this computer.
      • Click the Options button and configure all network users (i.e. – all Domain users) or only select users to have login permissions.
    • Configure other options as desired.
  • Log out of the local Admin account

3.) Log in using a domain user account (with permissions to login to the server (see above) while connected to the network) using the AD and password

  • The first login may take several minutes to complete as a local account is being created.
  • Open the Accounts tool from Apple | System Preferences | Accounts
  • Highlight the logged-in user’s account.
    • Check the box for ‘Allow user to administer this computer’ as appropriate
    • Verify that the ‘Settings’ button for Mobile Account is grayed out – this means that an offline account has been created for the user.

4.) Test the config by removing network connectivity (disable AirPort and/or pull the network cable) and log in as the user you just configured.

5.) Buy VMware Fusion so you can run Windows on your Mac when all the stuff you were used to just ain’t there anymore  😀


  1. […] Joshua Townsend wrote an interesting post today onOT: Joining a Mac to a Windows Active Directory | VMtodayHere’s a quick excerpt […]

Drop a comment below:

%d bloggers like this: