Active Directory Binding For A User That Already Uses Their Mac

Old No Comments on Active Directory Binding For A User That Already Uses Their Mac 53

As you may or may not know it is possible to bind a Mac to Active Directory . The process is actually pretty easy with the builtin Directory Utility.

What is lesser known is that if someone already uses their mac it is possible to bind their machine to their mac and have their AD credentials sign into the same profile that they are already using.

Here is my recommended process to complete this process.

1. Perform a full machine backup. It’s easiest to use Apple’s Time Machine utility here to an external hard drive. This can be a destructive process if things don’t go well . It willl be important to have a way to go back.

2.  Open up the /Users/  folder. Here we need to verify that whether their Home folder matches their AD shortname. If it doesn’t there are  some things you need to look out for. Most particularly Google Drive , Dropbox and other utilities that create a folder at the root of their  Home folder have caused me issues in the past.  I’ve cleared this up by disconnecting the accounts first and removing all traces of the programs.

3. Once you have cleared some potential land mines and created a your back-up we’re ready to get to work. So we’ll  need to log onto the computer with another administrative account.

4. Before we get to the business of Joining the machine to the Domain we want to make sure we rename the machine to fit the conventions that are already in place.  My preference is to do this from Terminal the commands are :

sudo scutil --set ComputerName     "Fill in your desired machine name"
sudo scutil --set HostName   "Fill in your desired machine name"

5. In System Preferences open the Users & Groups preference pane.  At the bottom of the preference pane click on Login Options. Click on the Join button next the Network Account Server. On the box that opens click on Open Directory Utility.

6.  In Directory Utility double click on Active Directory.  Here you’ll need to fill in the name of the your domain.  At the bottom of the window click on  show advanced options.  In the User Experience tab you’ll want to check the Create mobile account at login and in the Administrative tab check the box for Allow administration by. Once those options are set click on the bind button and enter the credentials  of a user that can join machines to the domain.

7. Now that the machine is joined to the Domain we will remain in the Users & Groups preference pane. Select the user we’re working from the list of Users and click on the delete button.  From the box that opens select the Don’t change the home folder option.

8. Open the /Users/ folder in Finder and their folder should  still be there with text (deleted) after the name. Change the name of this folder to reflect the users Active Directory short name.

9. Open a terminal window and run the following command:

sudo chown -R username /Users/username
substituting the user's username for username.

10. Logout of the current account and test logging into the user’s Active Directory account. Make sure if presented you click the button to create a mobile account.  (This allows the machine the cache the AD credentials and login while the DC is unavailable). If you get a warning here about not being able to access the folder it is a permissions related issue and the previous chown command did not succeed. You will need to log back in as the administrator account and try it again.

Once all is done the user will be able to log in to their computer with their Active Directory credentials. Of course the best complement for me is when they can’t even tell I did anything.


Related Articles

Leave a comment

Back to Top