Integrate macOS systems with Windows Active Directory

Find out if you need to give more access rights to macOS computer objects.

You don't need to modify a standard Active Directory (AD) environment before you integrate macOS systems. You might need to assign more access rights to macOS computer objects if:

• Attribute permissions have been modified

• The default AD schema has been modified

Depending on the AD installation, you might need to let Domain Computer accounts from all domains read more attributes. Let them read these attributes for "Computer Objects,” "User Objects,” and "Group Objects.” Computer accounts shouldn’t have write access to these attributes.

For AD default schema

c cn company dNSHostName department description displayName driverName facsimileTelephoneNumber givenName homeDirectory homeDrive l lastLogoff lastLogon location mail mailNickname memberOf mobile pager physicalDeliveryOfficeName postalAddress postalCode primaryGroupID printerName profilePath pwdLastSet rid sAMAccountName sAMAccountType scriptPath sn st street streetAddress telephoneNumber title url userPrincipalName userWorkstations

For Apple Schema extensions

Has your Schema been extended to support Apple Schema extensions? If so, AD should be able to read all of the attributes that are listed above. It should also be able to read these attributes:

apple-category apple-computeralias apple-computer-list-groups apple-computers apple-data-stamp apple-dnsname apple-dns-domain apple-dns-nameserver apple-group-homeowner apple-group-homeurl apple-home-directory apple-imhandle apple-keyword apple-mcxflags apple-mcxsettings apple-mountDirectory apple-mountDumpFrequency apple-mountOption apple-mountPassNo apple-mountType apple-service-location apple-service-port apple-service-type apple-service-url apple-user-class apple-user-authenticationhint apple-user-homequota apple-user-homesoftquota apple-user-homeurl apple-user-mailattribute apple-user-picture apple-user-printattribute apple-webloguri apple-xmlplist gidNumber ipHostNumber loginShell macAddress uidNumber ttl

Use AD schema tools to modify attributes

Modify these attributes to be "Index this attribute" and "Replicate this attribute to the Global Catalog."

For Windows 2000 default schemas

macAddress apple-hwuuid

For Apple Schema extensions

uidNumber gidNumber

Are you using a custom mapping for UID and GID in advanced settings? If so, those attributes must also be accessible, indexed, and replicated to the Global Catalog.