OS X Mavericks: Using advanced Active Directory options in a configuration profile
A configuration profile can be used to configure OS X to join an Active Directory (AD) domain.
In OS X Mavericks, advanced AD options available via Directory Utility or the dsconfigad command line tool can also be set using a configuration profile.
Start with an OS X Directory payload, created in Profile Manager.
Save and download the profile so you can edit it manually.
The following AD configuration keys can be added to the Directory payload, of type com.apple.DirectoryService.managed. Note that some settings will only be set if the associated flag key is set to “true”. For example, ADPacketEncryptFlag must be set to “true” to set the ADPacketEncrypt key to “enable".
Key | Type | Description |
|---|---|---|
HostName | string | The Active Directory domain to join |
UserName | string | User name of the account used to join the domain |
Password | string | Password of the account used to join the domain |
ADOrganizationalUnit | string | The organizational unit (OU) where the joining computer object is added |
ADMountStyle | string | Network home protocol to use: “afp” or “smb” |
ADCreateMobileAccountAtLoginFlag | boolean | Enable or disable the ADCreateMobileAccountAtLogin key |
ADCreateMobileAccountAtLogin | boolean | Create mobile account at login |
ADWarnUserBeforeCreatingMAFlag | boolean | Enable or disable the ADWarnUserBeforeCreatingMA key |
ADWarnUserBeforeCreatingMA | boolean | Warn user before creating a Mobile Account |
ADForceHomeLocalFlag | boolean | Enable or disable the ADForceHomeLocal key |
ADForceHomeLocal | boolean | Force local home directory |
ADUseWindowsUNCPathFlag | boolean | Enable or disable the ADUseWindowsUNCPath key |
ADUseWindowsUNCPath | boolean | Use UNC path from Active Directory to derive network home location |
ADAllowMultiDomainAuthFlag | boolean | Enable or disable the ADAllowMultiDomainAuth key |
ADAllowMultiDomainAuth | boolean | Allow authentication from any domain in the forest |
ADDefaultUserShellFlag | boolean | Enable or disable the ADDefaultUserShell key |
ADDefaultUserShell | string | Default user shell; e.g. /bin/bash |
ADMapUIDAttributeFlag | boolean | Enable or disable the ADMapUIDAttribute key |
ADMapUIDAttribute | string | Map UID to attribute |
ADMapGIDAttributeFlag | boolean | Enable or disable the ADMapGIDAttribute key |
ADMapGIDAttribute | string | Map user GID to attribute |
ADMapGGIDAttributeFlag | boolean | Enable or disable the ADMapGGIDAttributeFlag key |
ADMapGGIDAttribute | string | Map group GID to attribute |
ADPreferredDCServerFlag | boolean | Enable or disable the ADPreferredDCServer key |
ADPreferredDCServer | string | Prefer this domain server |
ADDomainAdminGroupListFlag | boolean | Enable or disable the ADDomainAdminGroupList key |
ADDomainAdminGroupList | array of strings | Allow administration by specified Active Directory groups |
ADNamespaceFlag | boolean | Enable or disable the ADNamespace key |
ADNamespace | string | Set primary user account naming convention: “forest” or “domain”; “domain” is default |
ADPacketSignFlag | boolean | Enable or disable the ADPacketSign key |
ADPacketSign | string | Packet signing: "allow", "disable" or "require"; “allow” is default |
ADPacketEncryptFlag | boolean | Enable or disable the ADPacketEncrypt key |
ADPacketEncrypt | string | Packet encryption: "allow", "disable", "require" or "ssl"; “allow” is default |
ADRestrictDDNSFlag | boolean | Enable or disable the ADRestrictDDNS key |
ADRestrictDDNS | array of strings | Restrict Dynamic DNS updates to the specified interfaces (e.g. en0, en1, etc) |
ADTrustChangePassIntervalDaysFlag | boolean | Enable or disable the ADTrustChangePassIntervalDays key |
ADTrustChangePassIntervalDays | number | How often to require change of the computer trust account password in days; “0” is disabled |
For a sample of the advanced Active Directory settings, you can look at the source of this sample configuration profile.
Supported methods for installing a profile with advanced Active Directory configuration key:
Double-click the .mobileconfig file via the Finder
Execute /usr/bin/profiles via Terminal
Using System Image Utility, add the 'Add Configuration Profiles' action to a NetRestore or NetInstall custom image creation workflow
Advanced Active Directory configurations cannot be deployed directly via Profile Manager.
