Options when joining a Mac to Active Directory
It's worth noting that a series of options can be specified when joining a Mac to Active Directory. These options can be manually adjusted, though in many environments the defaults work well. To make changes, click the Open Directory Utility button in the Network Account Server dialog described above. Later in this series, I will discuss how to automate these changes when deploying a fleet of Macs.
The manual adjustments are broken down into three areas:
- User experience
- Attribute mappings
- Administrative options
User experience options include the user's network home directory and the default Unix shell users will encounter if they launch OS X's Terminal app (unless otherwise specified,
/bin/bash is the default).
User Experience options in Directory Utility
When it comes to home directories, OS X supports the creation of a local home directory on a user’s Mac (the default behavior, similar to how a home directory is created on a stand-alone Mac), a network home directory that allows a user to access files and settings across multiple Macs, and the option to allow access to a network home directory mounted as a folder in the OS X Dock. There is also the option to create a mobile account, which is a local account (and local home directory) that syncs/mirrors the Active Directory account (and network home directory) for offline access. Mobile accounts can be created automatically, which can lead to confusion and sync issues if a user has mobile accounts on multiple Macs, or the feature can be made optional by requiring user confirmation of mobile account creation when they log into a new Mac.
Attribute mappings relate to integration with Apple's own LDAP-based directory service similar to Active Directory called Open Directory, which is included with OS X Server. Each Mac contains a local directory node for local account information based on the Open Directory attributes. Although Open Directory provides the same functionality as Active Directory, some account attributes differ between the two. A Mac joined to Active Directory automatically maps the Open Directory attributes it requires to equivalent Active Directory attributes (
gidNumber). If the Active Directory schema has been modified, it is possible to create alternate mappings, though this isn't needed in the vast majority of environments.
Mappings options in Directory Utility
There are three administrative options that can be set when a Mac is joined to Active Directory. The first is to prefer a specific domain controller. By default a Mac will search for the most available domain controller much like a PC. It is possible to override this and instead specify a specific domain controller to be accessed first.
Sign up for CIO Asia eNewsletters.