Change privileges in Directory Utility on Mac
On a computer that’s configured to use Directory Utility’s Active Directory connector, you can identify Active Directory group accounts whose members you want to have administrator privileges for the computer.
Users that are members of these Active Directory group accounts can perform administrative tasks such as installing software on the Mac computer you are configuring.
In the Directory Utility app on your Mac, click Services.
Click the lock icon.
Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).
Select Active Directory, then click the “Edit settings for the selected service” button .
If the advanced options are hidden, click the disclosure triangle next to Show Options.
Select “Allow administration by,” then change the list of Active Directory group accounts whose members you want to have administrator privileges:
To add a group, click the Add button , then enter the Active Directory domain name, a backslash, and the group account name (for example, ADS\Domain Admins, IL2\Domain Admins).
To remove a group, select it, then click the Remove button .