Integrating Mac OS X 10.6 with AD
This page provides basic instructions for integrating a Mac OS X 10.6 or newer computer with Active Directory, allowing the use of AD credentials to log in. These instructions require AD administrative accounts, so must be used by OU administrators.
For more information on Mac OS X 10.6 or newer and Active Directory or Open Directory, please see our AD/OD setup, binding, and troubleshooting document.
Bind the computer to AD
- Open Applications > System Preferences.
- Click on the Accounts preference pane.
- Click Login Options located in the left column.
- Click Join…
- Enter ad.bu.edu or ad2.bu.edu as the Server. Snow Leopard will automatically determine the type of server from the address you enter. The Client Computer ID will be based on the name in the Mac’s Sharing settings.
- The AD Admin User and AD Admin Password fields should be the AD or AD2 credentials of a departmental OU administrator.
- Click OK and wait for the bind to complete.
- Once the progress indicator has disappeared, click on the Edit… button in the Accounts pane.
- Click Open Directory Utility…
- Authenticate to make changes.
- Double-click Active Directory.
- Click on the triangle next to Show Advanced Settings to expand the window.
- Select the User Experience tab.
- Check Create mobile account for systems that will not have an always-on network connection. For instance, this would be appropriate for laptops that may be used while not connected to a network. If you do select this option, it is best to uncheck Require confirmation before creating a mobile account option as the message it produces can be a bit confusing.
- Uncheck Use UNC path from Active Directory.
- Make sure Force local home is checked.
- You may also optionally configure the default user shell by leaving the default value or by adding /usr/bin/false, which disables shell access for AD users.
- Switch to the Mappings tab.
- Set Map UID to attribute to bu-ph-index-id-numeric.
- Once all of your Directory Utility settings are as you would like them, accept and close all windows until you are back to the Accounts pane. On this screen, change the Display login window as option to Name and Password.
The steps above should allow authentication using AD credentials. Restart the computer and try logging in with an AD account. You do not need to prepend AD or anything similar. For more information on binding to Active Directory or Open Directory, please see our AD/OD setup, binding, and troubleshooting document.
If a user has both an AD and AD2 account, you must specify which domain the Mac should be checking for credentials. To do so:
- Go back to the Administrative tab mentioned in step 13 and uncheck the box titled Allow authentication from any domain in the forest.
- Click OK to save this change.
- Click on the Search Policy button at the top of the window.
- Under the Authentication tab, remove the listing for /Active Directory/All Domains if it is present.
- Click the + button to add a new domain.
- From the list, add “/Active Directory/adr.bu.edu” and the address of whichever domain the user is trying got log in to (either “/Active Directory/ad.bu.edu” for AD or “/Active Directory/ad2.bu.edu” for AD2).
- Click Apply to save changes and close out of all open windows.