OS X Mavericks: Using advanced Active Directory options in a configuration profile

A configuration profile can be used to configure OS X to join an Active Directory (AD) domain.

This article has been archived and is no longer updated by Apple.

In OS X Mavericks, advanced AD options available via Directory Utility or the dsconfigad command line tool can also be set using a configuration profile.

  1. Start with an OS X Directory payload, created in Profile Manager.
  2. Save and download the profile so you can edit it manually.

The following AD configuration keys can be added to the Directory payload, of type com.apple.DirectoryService.managed. Note that some settings will only be set if the associated flag key is set to “true”. For example, ADPacketEncryptFlag must be set to “true” to set the ADPacketEncrypt key to “enable".

Key Type Description
HostName string The Active Directory domain to join
UserName string User name of the account used to join the domain
Password string Password of the account used to join the domain
ADOrganizationalUnit string The organizational unit (OU) where the joining computer object is added
ADMountStyle string Network home protocol to use: “afp” or “smb”
ADCreateMobileAccountAtLoginFlag boolean Enable or disable the ADCreateMobileAccountAtLogin key
ADCreateMobileAccountAtLogin boolean Create mobile account at login
ADWarnUserBeforeCreatingMAFlag boolean Enable or disable the ADWarnUserBeforeCreatingMA key
ADWarnUserBeforeCreatingMA boolean Warn user before creating a Mobile Account
ADForceHomeLocalFlag boolean Enable or disable the ADForceHomeLocal key
ADForceHomeLocal boolean Force local home directory
ADUseWindowsUNCPathFlag boolean Enable or disable the ADUseWindowsUNCPath key
ADUseWindowsUNCPath boolean Use UNC path from Active Directory to derive network home location
ADAllowMultiDomainAuthFlag boolean Enable or disable the ADAllowMultiDomainAuth key
ADAllowMultiDomainAuth boolean Allow authentication from any domain in the forest
ADDefaultUserShellFlag boolean Enable or disable the ADDefaultUserShell key
ADDefaultUserShell string Default user shell; e.g. /bin/bash
ADMapUIDAttributeFlag boolean Enable or disable the ADMapUIDAttribute key
ADMapUIDAttribute string Map UID to attribute
ADMapGIDAttributeFlag boolean Enable or disable the ADMapGIDAttribute key
ADMapGIDAttribute string Map user GID to attribute
ADMapGGIDAttributeFlag boolean Enable or disable the ADMapGGIDAttributeFlag key
ADMapGGIDAttribute string Map group GID to attribute
ADPreferredDCServerFlag boolean Enable or disable the ADPreferredDCServer key
ADPreferredDCServer string Prefer this domain server
ADDomainAdminGroupListFlag boolean Enable or disable the ADDomainAdminGroupList key
ADDomainAdminGroupList array of strings Allow administration by specified Active Directory groups
ADNamespaceFlag boolean Enable or disable the ADNamespace key
ADNamespace string Set primary user account naming convention: “forest” or “domain”; “domain” is default
ADPacketSignFlag boolean Enable or disable the ADPacketSign key
ADPacketSign string Packet signing: "allow", "disable" or "require"; “allow” is default
ADPacketEncryptFlag boolean Enable or disable the ADPacketEncrypt key
ADPacketEncrypt string Packet encryption: "allow", "disable", "require" or "ssl"; “allow” is default
ADRestrictDDNSFlag boolean Enable or disable the ADRestrictDDNS key
ADRestrictDDNS array of strings Restrict Dynamic DNS updates to the specified interfaces (e.g. en0, en1, etc)
ADTrustChangePassIntervalDaysFlag boolean Enable or disable the ADTrustChangePassIntervalDays key
ADTrustChangePassIntervalDays number How often to require change of the computer trust account password in days; “0” is disabled

For a sample of the advanced Active Directory settings, you can look at the source of this sample configuration profile.

Supported methods for installing a profile with advanced Active Directory configuration key:

  • Double-click the .mobileconfig file via the Finder
  • Execute /usr/bin/profiles via Terminal
  • Using System Image Utility, add the 'Add Configuration Profiles' action to a NetRestore or NetInstall custom image creation workflow

Advanced Active Directory configurations cannot be deployed directly via Profile Manager.

Published Date: