Add or Remove Mac from Active Directory
Revision as of 19:33, 27 May 2013 by Bw38 (talk | contribs) (→Add Mac to Active Directory using Directory Utility)
There are two ways to add a Mac to Active Directory. The results are the same. Before proceeding make sure the Mac is connected to your network either via Ethernet or wireless. Macs can establish wireless connections at the login screen which is helpful for devices such as the MacBook Air that do not have Ethernet ports.
Contents
Open Directory Utility
- Click on Apple in top left corner and click on System Preferences.
- Click on Users & Groups.
- Make sure the lock in the bottom left corner of the window is in an unlocked position.
- Click on Login Options.
- Where it says Network Account Server, click on the button Join...
- Click on Open Directory Utility...
- Double click on Active Directory. Note, you may click on the lock in the bottom left corner to unlock and make edits.
Or alternatively...
- Open Finder.
- Click on Go menu and then Go to folder...
- Type /System
- Open Library folder
- Open Core Services folder
- Open Directory Utility.app
- Double click on Active Directory. Note, you may click on the lock in the bottom left corner to unlock and make edits.
Add Mac to Active Directory using Directory Utility
- Make sure the lock in the bottom left corner of the window is in an unlocked position.
- You will see three tabs: Services Search Policy Directory Editor. By default you will be under the Services tab. If not, please click Services.
- Double click on Active Directory.
- Enter the following information:
- Leave Active Directory Forest alone.
- Active Directory Domain: enter your domain name (i.e. company.com for purposes of this guide)
- Computer ID: enter computer name
- Click on arrow next to Show Advanced Options.
- If you want to make an AD group administrators on the computer, click the Administrative tab.
- Make sure Allow administration by: is checked.
- Click on the plus sign and type enter AD group name to allow AD group to be administrators on the machine.
- Click on the Bind... button.
- Enter your AD username in the Username: text field
- Enter your AD password in the Password: text field
- The next step requires you to fill out Computer OU: which can be handled one of two ways
- First method: in reverse name format, type out the Organizational Unit (OU) the machine is going to be added to. For example: OU=MacOSX,OU=Computers,DC=company,DC=com. You will most likely need to remote into a PC machine and look at the Active Directory hierarchy for the domain to see the structure of OUs using Active Directory Users and Computers if you cannot remember the hierarchy. Please notice the use of commas and OU= which is important otherwise this may fail.
OU stands for Organizational Unit and DC stands for Domain Controller. CN stands for Class Name. - Second method: leave Computer OU: as is which should be CN=Computers,DC=company,DC=com. Instead remote into a PC with Active Directory Users and Computers. Go to the proper OU where the Mac will go and right-click the OU and select New -> Computer. Enter the Computer Name which needs to match the Computer ID filled out earlier. On the Mac, in Directory Utility you should now be able to click Bind.
OU stands for Organizational Unit. DC stands for Domain Controller. CN stands for Class Name.
If you will used the second method of adding a Mac to Active Directory, you will see the following message:
Please click OK. This is the Mac telling you that you will be overwriting a computer account in Active Directory which is fine and should not cause any problems.Join existing account?
The account information you entered specifies an account that already exists. Do you wish to join this computer to the existing computer account? This operation cannot be undone.
- First method: in reverse name format, type out the Organizational Unit (OU) the machine is going to be added to. For example: OU=MacOSX,OU=Computers,DC=company,DC=com. You will most likely need to remote into a PC machine and look at the Active Directory hierarchy for the domain to see the structure of OUs using Active Directory Users and Computers if you cannot remember the hierarchy. Please notice the use of commas and OU= which is important otherwise this may fail.
- Click the User Experience tab. This should be the default tab you see anyways.
- Check Create mobile account at login. This will ensure that a user's credentials are cached on the computer when they are off the network.
- Check Require confirmation before creating a mobile account. Otherwise you may see a prompt when you login with your AD credentials for the first time to create a mobile account folder which should be answered with Yes. And if given the option select Do not ask me again.
- If you are not using network homes, then uncheck Use UNC path from Active Directory to derive network home location
- Select OK.
Remove Mac from Active Directory using Directory Utility
It is possible to remove a machine from Active Directory from within Mac OS X. This assumes the machine is on AD domain.
- First, you will need to open Directory Utility.
- Make sure the lock in the bottom left corner of the window is in an unlocked position.
- You will see three tabs: Services Search Policy Directory Editor. By default you will be under the Services tab. If not, please click Services.
- Double click on Active Directory.
- Click on the Unbind... button.
- Enter your AD username in the Username: text field
- Enter your AD password in the Password: text field
- Select OK.
