How to Connect your Mac to an Active Directory Domain

If you work in an enterprise environment, you’re probably familiar with Active Directory. It is Microsoft’s network based authentication system, allowing users to have one username and password to access resources across a system and services. Everything from network storage, to email, to OneDrive, and logging into Windows and Mac computers. Most of the time in Enterprise settings, Macs can and will be automatically connected to the domain through a management suite like Jamf, Apple Configurator, etc. In the event that you need to manually connect or reconnect a machine to a domain, here’s how you can do just that.

Before you begin, you need to make sure you have two things in advance:

  • A local administrator account on the machine (the kind normally setup on a computer)
  • An Active Directory administrator: only they can add or remove machines from an Active Directory Domain.

Assuming you have those in place, we can begin.

1: Open the System Preferences App.

2: In System Preferences, navigate to Users and Groups.

3: Here, make sure you’re using a local, admin account on your Mac. This will be clear because under the account name it will say “Admin” and nothing else. If it says “Mobile” next to it, then you have a problem.

4: Unlock the System Preferences by clicking the padlock icon in the bottom left corner, then type in the admin credentials for your Mac. After this, click “Login Options”, and in the bottom right side of the window, you’ll see some text that says “Network Account Server”. Hit the “Join” button next to that text.

5:  A text box will pop up asking you to type in the server name.  You can type in the server name and attach the machine to the domain here.  However, I would recommend you hit “Open Directory Utility” to customize a few settings first.

server

6:  A new window called “Directory Utility” will open up.  Here we’ll unlock the window again by hitting the padlock icon again and typing in your Mac’s admin credentials.  Then double-click

AD unlock

7:  The Directory Utility window should change and allow you to make some adjustments to your settings regarding Active Directory.  We won’t go into everything, but we’ll hit a few settings you should check over before you attempt to connect your machine to the domain.  First let’s look under the “User Experience” tab in the bottom half of the screen. If you don’t see this, hit the “Show Options” drop down arrow.  There’s one very important option we want to look at.

Directory Utility UX

The “Create mobile account at login” checkbox is very important.  Whenever a machine uses Active Directory to login, and you type in user credentials, it checks those credentials against the Active Directory server. Assuming the credentials are valid, it returns an all clear signal, and the machine logs in with those user credentials.  However, to do this the machine and server have to be on the same network.  So what happens if your machine isn’t on the same network as the server?  Normally, since it cannot reach the server, it will fail and not let the user login.  However, you can set your machine to have a mobile account.  In this case, it will cache credentials on the machine, and if the machine cannot check-in with the server, then it will check the typed-in credentials with those it has cached.  This is particularly useful for laptops, though it can benefit desktops in the event of a networked outage.  I would highly encourage you to check this box.  

For this mobile account to work, the first login for each user must be done while connected to the same network as the Active Directory server.  If this isn’t done before taking the machine off-site, you basically will have a glorified doorstop.  It’s also important to not that if a user changes that password while off-site, the machine will still use the old previous credentials to login, and only update the password upon returning to the enterprise’s network.  

Once you’ve enabled that, we can go onto the next step.

8.  In the bottom half of the Directory Utility window, hit the “Administrative” tab.

Directory Utility Administrative  

In this tab, there are 2 options we’ll focus on.  The first is “Allow administration by: ” checkbox.  By default, when a user logs onto the machine with their domain credentials, they will not be an administrator on the machine.  This includes those who normally would be admins based off their Active Directory credentials.  By checking this box, those in the groups in the list to the right (default “domain admins” and “enterprise admins”) will be administrators if they log onto the Mac.  Useful for people in groups like IT and Support.

The other box is the “Allow authentication from any domain in the forest” checkbox.  This basically searches across all the domains for Active Directory credentials when needed when left unchecked.  To force credentials only for this domain, check the box for this.  If you’re unsure, consult your Networking or Security teams.

Now we can proceed to the finals steps of connecting your machine to the domain.  

9: Near the top of the window, in the “Active Directory Domain” box, type in the domain address for your machine.  Below that is the box labeled “Computer ID”.  This is the name of the machine that will be passed onto the Active Directory server.  These should each be unique to the server.  Generally speaking if 2 Macs on the domain have the same name, one of the Macs will adjust its name and there won’t be a problem.  However, if 2 Windows computers, or a Mac and a PC have the same name, then the Windows machines will be blocked from accessing the server due to having the same name.  Therefore it is very important that you ensure no machines, Mac or PC, have the same name in AD.  Once you have typed in the domain and verified the name is OK, hit “Bind”.

AD Domain entry

10.  You’ll have a box labeled “Network Administrator Required” pop up.  Here is where you’ll need to use your Active Directory administrator credentials, not your Mac credentials.  Once you’ve typed those into the appropriate boxes, hit OK.  You may be prompted for Mac admin access once or twice, so type those in as necessary.  

Network admin

11.  Once you’ve typed that in, you may get a spinning wheel with a note about what process it’s on.  When that’s done, the text boxes at the top will be grayed out, and the “Bind” button from before will change to “Unbind”.  You can then hit the OK button at the bottom right of the window and close the Directory Utility window.  You’ll be returned to the Users and Groups pane in System Preferences, you should see next to “Network Account Server” a green circle and the short name for your domain.  

Final

If you see that, you can now logout of your local Mac admin account and sign in with domain credentials.  You’ve now added your Mac to the domain.

Feel free to comment.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.