Integrate macOS systems with Windows Active Directory
Find out if you need to give more access rights to macOS computer objects.
You don't need to modify a standard Active Directory (AD) environment before you integrate macOS systems. You might need to assign more access rights to macOS computer objects if:
Attribute permissions have been modified
The default AD schema has been modified
Depending on the AD installation, you might need to let Domain Computer accounts from all domains read more attributes. Let them read these attributes for "Computer Objects,” "User Objects,” and "Group Objects.” Computer accounts shouldn’t have write access to these attributes.
For AD default schema
c
cn
company
dNSHostName
department
description
displayName
driverName
facsimileTelephoneNumber
givenName
homeDirectory
homeDrive
l
lastLogoff
lastLogon
location
mail
mailNickname
memberOf
mobile
pager
physicalDeliveryOfficeName
postalAddress
postalCode
primaryGroupID
printerName
profilePath
pwdLastSet
rid
sAMAccountName
sAMAccountType
scriptPath
sn
st
street
streetAddress
telephoneNumber
title
url
userPrincipalName
userWorkstations
For Apple Schema extensions
Has your Schema been extended to support Apple Schema extensions? If so, AD should be able to read all of the attributes that are listed above. It should also be able to read these attributes:
apple-category
apple-computeralias
apple-computer-list-groups
apple-computers
apple-data-stamp
apple-dnsname
apple-dns-domain
apple-dns-nameserver
apple-group-homeowner
apple-group-homeurl
apple-home-directory
apple-imhandle
apple-keyword
apple-mcxflags
apple-mcxsettings
apple-mountDirectory
apple-mountDumpFrequency
apple-mountOption
apple-mountPassNo
apple-mountType
apple-service-location
apple-service-port
apple-service-type
apple-service-url
apple-user-class
apple-user-authenticationhint
apple-user-homequota
apple-user-homesoftquota
apple-user-homeurl
apple-user-mailattribute
apple-user-picture
apple-user-printattribute
apple-webloguri
apple-xmlplist
gidNumber
ipHostNumber
loginShell
macAddress
uidNumber
ttl
Use AD schema tools to modify attributes
Modify these attributes to be "Index this attribute" and "Replicate this attribute to the Global Catalog."
For Windows 2000 default schemas
macAddress
apple-hwuuid
For Apple Schema extensions
uidNumber
gidNumber
Are you using a custom mapping for UID and GID in advanced settings? If so, those attributes must also be accessible, indexed, and replicated to the Global Catalog.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
