Integrate macOS with Microsoft Active Directory
You can configure a Mac to access basic user account information in a Microsoft Active Directory domain of a Windows 2000 (or later) server (see the note below on versions). The Active Directory connector is listed in the Services pane of Directory Utility, and it generates all attributes required for macOS authentication from standard attributes in Active Directory user accounts. The connector also supports Active Directory authentication policies, including password changes, expirations, forced changes, and security options. Because the connector supports these features, you don’t need to make schema changes to the Active Directory domain to get basic user account information.
Note: macOS won’t be able to join an Active Directory domain without a domain functional level of at least Windows Server 2008, unless you explicitly enable “weak crypto.” Even if the domain functional levels of all domains are 2008 or later, the administrator may need to explicitly specify each domain trust to use Kerberos AES encryption.
macOS uses DNS to query the topology of the Active Directory domain. It uses Kerberos for authentication and Lightweight Directory Access Protocol (LDAP) for user and group resolution.
When macOS is fully integrated with Active Directory, users:
Are subject to the organization’s domain password policies
Use the same credentials to authenticate and gain authorization to secured resources
Are issued user and machine certificate identities from an Active Directory Certificate Services server
Can automatically traverse a Distributed File System (DFS) namespace and mount the appropriate underlying Server Message Block (SMB) server
You can also use the Directory payload in your mobile device management (MDM) solution or Profile Manager to configure these settings, then push that payload to all of the Mac computers in your organization. See Directory payload settings in MDM Settings for IT Administrators.
Note: Mac clients assume full read access to attributes that are added to the directory. Therefore, it might be necessary to change the Access Control List (ACL) of those attributes to permit computer groups to read these added attributes.