I would like to have my MacBook Pro authenticate against Active Directory running on Windows 2008. A couple of years ago I tried to set this up between OS X 10.4 and Windows 2003 but I wasn't successful. A detailed step-by-step guide and a list of gotchas around domain security policy would be great.
Asked
Active
Viewed 1,451 times
2 Answers
8
I'd recommend starting with this guide on Apple's mailing list (credit to Gilbert Palau):
The crux is quoted here:
- Go to the Directory Utility ‐> /Applications/Utilities/
- Click the Advanced Settings Button ‐> Buttons should appear on the top
- Click Services
- Make sure you're authenticated to makes changes ‐> click the lock and login
- Double‐click the Active Directory
- type in your domain in "Active Directory Domain" ‐> ex. (mydomain.com) watch out if your domain ends with .local opposed to.com or .net, you need to disable bonjour if it ends with .local.
- click bind
- enter in username and password ‐> just the username NOT email@hidden or MYDOMAIN\User
- Click ok.
Chealion
- 5,713
- 27
- 29
-
The great failure here is that this does authentication only, not authorization. Supposedly, if your AD administrators add the AD Services for Mac, then you can add the proper extensions to do machine authorization, although I have not seen it in action. I have purposely not added Macs to our Directory because of the lack of authorization. – Scott Pack May 27 '09 at 14:30
-
It can do authorization for local administration, but from memory it may be necessary to use the 'dsconfigad' command-line tool to specify which AD groups will gain local admin privs. – Froosh May 29 '09 at 06:19
4
Two great resources on joining OSX clients to Active Directory are:
The Apple white paper on how to do it: pdf
An Apple video presentation on best practices for OSX AD: seminar
Apple has an extensive list of white papers and the like for a whole range of topics - check it out at http://www.apple.com/business/resources/
Jon Rhoades
- 4,989
- 3
- 30
- 47