Integrate macOS systems with Windows Active Directory

Find out if you need to give more access rights to macOS computer objects.

You don't need to modify a standard Active Directory (AD) environment before you integrate macOS systems. You might need to assign more access rights to macOS computer objects if:

  • Attribute permissions have been modified
  • The default AD schema has been modified

Depending on the AD installation, you might need to let Domain Computer accounts from all domains read more attributes. Let them read these attributes for "Computer Objects,” "User Objects,” and "Group Objects.” Computer accounts shouldn’t have write access to these attributes.

For AD default schema

c
cn
company
dNSHostName
department
description
displayName
driverName
facsimileTelephoneNumber
givenName
homeDirectory
homeDrive
l
lastLogoff
lastLogon
location
mail
mailNickname
memberOf
mobile
pager
physicalDeliveryOfficeName
postalAddress
postalCode
primaryGroupID
printerName
profilePath
pwdLastSet
rid
sAMAccountName
sAMAccountType
scriptPath
sn
st
street
streetAddress
telephoneNumber
title
url
userPrincipalName
userWorkstations

For Apple Schema extensions

Has your Schema been extended to support Apple Schema extensions? If so, AD should be able to read all of the attributes that are listed above. It should also be able to read these attributes:

apple-category
apple-computeralias
apple-computer-list-groups
apple-computers
apple-data-stamp
apple-dnsname
apple-dns-domain
apple-dns-nameserver
apple-group-homeowner
apple-group-homeurl
apple-home-directory
apple-imhandle
apple-keyword
apple-mcxflags
apple-mcxsettings
apple-mountDirectory
apple-mountDumpFrequency
apple-mountOption
apple-mountPassNo
apple-mountType
apple-service-location
apple-service-port
apple-service-type
apple-service-url
apple-user-class
apple-user-authenticationhint
apple-user-homequota
apple-user-homesoftquota
apple-user-homeurl
apple-user-mailattribute
apple-user-picture
apple-user-printattribute
apple-webloguri
apple-xmlplist
gidNumber
ipHostNumber
loginShell
macAddress
uidNumber
ttl 

Use AD schema tools to modify attributes

Modify these attributes to be "Index this attribute" and "Replicate this attribute to the Global Catalog."

For Windows 2000 default schemas

macAddress
apple-hwuuid

For Apple Schema extensions

uidNumber
gidNumber

Are you using a custom mapping for UID and GID in advanced settings? If so, those attributes must also be accessible, indexed, and replicated to the Global Catalog.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: