Macintosh on a Windows Active Directory Domain

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

Occasionaly we will have a customer that uses a Mac based PC and needs to access the Active Directory (aka AD) to use shared drives, get company email, etc. In that case we need to tell the Mac that it is going to connect to an AD and give it the settings it will need. This document will walk you through the setup of that process.Because the AD plugin uses DNS to locate AD resources on the network, there is very little configuration necessary for the AD plugin. Use the settings provided by going to a Windows machine on the AD, clicking start, run, cmd.exe. When the command prompt comes up type in(without the quotes) "ipconfig /all", this will give you most of the information you need. Now on to the actual procedure.

  1. Launch the Directory Access application, enter the Administrator credentials (if you don't know or don't have an Administrator account, just try your/client's user account), and click on the Active Directory plugin checkbox. Now you can click on the “Configure...” button.

File:DirectoryAccessScreenshot.png

  1. Provide the directory domain and a computer ID, then click on the “Bind” button and provide your AD credentials (or bind credentials provided to you by your AD administrator). Consider the Computer OU carefully. The default Computer OU may not exist, may not be appropriate, or may not be accessible with your account privileges. The bind will fail if your account does not have write access to the Computer OU, so ask your AD administrator what the appropriate Computer OU is for your computer. Also, the computer ID should not be longer than 19 characters. In general, it is best practice to use the first part of the DNS hostname.
  2. Click on the “Show Advanced Options” button. Consider the options in the User Experience tab:
    1. “Create mobile account”: causes the client to cache the account credentials of the last user to use the machine. This can be handy if your users take their machines home.
    2. “Force local home”: This should be checked if your AD does not specify the location of user home directories, or if you do not want users to have network-based home directories.
    3. “Use UNC path from Active Directory to derive home location“: If your AD user accounts indicate the path to a home directory, this option allows the AD plugin to convert the value to a URL that can be used to mount the sharepoint upon login. If you do not specify the correct network protocol, an error will occur when users try to login.
  3. Consider the options in the Administrative tab:
    1. “Prefer this domain server”: If you have a preferred domain server, indicate it here. If the server becomes unavailable, the AD plug-in automatically falls back to another nearby server in the forest. By default, the AD plug-in automatically determines the closest AD domain in the forest.
    2. “Allow administration by”: This allows you to specify AD groups whose members should have administrative privileges on the machine.
    3. “Allow authentication from any domain within the forest“: If your forest has multiple domains, this essentially expands the search base that the AD plugin uses to find user records so users from other domains can log in to the machine.
  4. When the bind has completed, return to the LDapper application and find your computer’s record in the Computer container.
  5. Return to Directory Access and click on the “OK” button to close the AD plugin window.
  6. Click on the “Authentication” tab. If your machine is configured with an LDAP node from a previous exercise, remove that node from the list, click apply, then close Directory Access.

-Nate

Related

See also: Access Microsoft Workgroup Shares with OSX

Retrieved from "http://wiki.robotz.com/index.php?title=Macintosh_on_a_Windows_Active_Directory_Domain&oldid=19167"