Control authentication from all domains in the Active Directory forest in Directory Utility on Mac
On a computer that’s configured to use Directory Utility’s Active Directory connector, you can permit users in the Active Directory forest to authenticate from all domains, or you can restrict authentication to users from individual domains.
In the Directory Utility app
on your Mac, click Services.Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Select Active Directory, then click the “Edit settings for the selected service” button
.If the advanced options are hidden, click the disclosure triangle next to Show Options.
Click Administrative.
Select “Allow authentication from any domain in the forest.”
If you select “Allow authentication from any domain in the forest,” you can add the Active Directory forest to the computer’s custom search policies for authentication and contacts.
When you add an Active Directory forest to a custom search policy, the forest appears in the list of available directory domains as “/Active Directory/All Domains.” (This is the default setting.)
If you deselect “Allow authentication from any domain in the forest,” you can add Active Directory domains individually to the computer’s custom search policies for authentication and contacts.
When you add Active Directory domains to a custom search policy, each Active Directory domain appears separately in the list of available directory domains.
Click OK.
After selecting “Allow authentication from any domain in the forest,” change the custom search policy in the Authentication and Contacts panes to include the Active Directory forest or selected domains. See Define search policies.