Binding a Mac to an Active Directory domain with Directory Utility
The Directory Utility app is located in /System/Library/CoreServices/Applications/. After you’re authenticated as a macOS administrator, you select the Active Directory connector and configure the basic options listed below:
Active Directory forest: The name of the Active Directory forest. If the name is unknown, the Active Directory connector queries the domain for the information.
Active Directory domain: The DNS host name of the Active Directory domain you want to bind to the Mac you’re configuring.
Computer ID: The Computer ID is the name the Mac is known by in the Active Directory domain, and it’s preset to the name of the Mac as shown in Sharing preferences. You might change this name to conform to your organization’s established scheme for naming computers in the Active Directory domain. If you’re not sure of the naming scheme, ask the Active Directory domain administrator.
Important: If a computer name contains a hyphen, you might not be able to join or bind to a Directory Domain such as LDAP or Active Directory. In this case, use a computer name that doesn’t contain a hyphen.
After the information is entered, bind the Mac to Active Directory with the following information:
User name and password: Domain-joining privilege can be assigned to any user, not only an administrator. If the Mac is creating the object in Active Directory, the user needs to have Read and Create All Child Objects permissions on the specified container.
Computer OU: By default, macOS creates the object in the Computers container, but any container or organizational unit (OU) can be used. If the object already exists, the user must be a member of the group with the ability to join the account, as specified in Active Directory Users and Computers.
Use for authentication (optional): Specify whether to add Active Directory to the computer’s authentication search policy.
Use for contacts (optional): Specify whether to add Active Directory to the computer’s contacts search policy.
Advanced user experience options
Create mobile accounts at login: This creates a local account to be accessed off network. You can require a confirmation dialog when an account is used to log in to the Mac for the first time.
Force local home directory on startup volume: Disable this option when using pure network home directories. You can’t change this option if “Create mobile account at login” is selected.
Use UNC path from Active Directory to derive network home location: When you enable this option, if the Active Directory user account record has a home folder specified, the Mac mounts the location and creates a link in the Dock. The default protocol is SMB3, but you can set it to AFP.
Default user shell: This determines the Terminal app shell environment the user has.
Advanced mapping options
On a Mac configured to use Directory Utility’s Active Directory connector, you can specify an Active Directory attribute to map to the group ID, primary group ID (GID), and unique user ID (UID) attribute in macOS. To review these options in more detail, see Map the group ID, Primary GID, and UID to an Active Directory attribute in the Directory Utility User Guide.
Advanced administrator options
On a Mac that’s configured to use Directory Utility’s Active Directory connector, you can specify the following:
Prefer this domain server: By default, macOS uses site information and domain controller responsiveness to determine the appropriate domain controller to use. If you specify a domain controller in the same site here, it’s consulted first. If the domain controller is unavailable, macOS reverts to default behavior.
Allow administration by: When you enable this option, members of the listed Active Directory groups have administrative privileges over the local Mac. By default, domain admins and enterprise admins are listed. You can specify desired security groups here.
Allow authentication from any domain in the forest: By default, macOS automatically searches all domains for authentication. To restrict authentication to only the domain the Mac is bound to, deselect this checkbox.