Directory Access 1.5 Help
Configuring Access to an Active Directory Domain
--------------------------------------------------------------------------------
Using the Active Directory plug-in listed in Directory Access, you can configure Mac?OS?X to access basic user account information in an Active Directory domain on a Windows server. The Active Directory plug-in generates all attributes required for Mac?OS?X authentication. No changes to the Active Directory schema are required. Yet the Active Directory plug-in detects and accesses standard Mac?OS?X record types and attributes, such as the attributes required for Mac?OS?X client management, if the Active Directory schema has been extended to include them.
Important:?? An advanced option of the Active Directory plug-in allows you to map the Mac?OS?X unique user ID (UID) attribute to an appropriate attribute that has been added to the Active Directory schema. If you change the setting of this mapping option at a later date, users may lose access to previously created files.
In Directory Access, click Services.
If the lock icon is locked, click it and type the name and password of an administrator.
Select Active Directory in the list of services, then click Configure.
Enter the DNS names of the servers that host the Active Directory forest and domain of which the computer you're configuring will be a member.
The administrator of the Active Directory domain can tell you the names of the forest and domain. If you have a single forest with a single domain, enter the same name for forest and domain.
Enter the Computer ID, which is the name that the computer you're configuring has been assigned in the Active Directory domain.
If you're not sure what name to enter, ask the Active Directory domain administrator.
Click Bind, authenticate as a user who has rights to set up a connection to the Active Directory domain, and click OK.
Name and Password:??You may be able to authenticate by entering the name and password of your Active Directory user account, or the Active Directory domain administrator may have to provide a name and password.
OU:??Enter the organizational unit (OU) for the computer you're configuring.
Optionally, set the advanced options.
If the advanced options are hidden, click Show Advanced Options.
"Cache last user logon for offline operation":?? Select this option to enable the use of offline credentials without modifying the Active Directory schema. This is considered the default setting for users logging in to the computer. An equivalent capability is provided by managed client settings in an Open Directory domain and most LDAP directory domains. If a user account has actual managed client settings, then this option is ignored.
"Authenticate in multiple domains":?? Select this option to allow users from any domain within the forest to authenticate on this computer. If this option is unchecked, a list of specific domains within the forest will be presented when you configure a custom Authentication search policy so that you can add domains individually to the search policy.
"Prefer this domain server":?? Select this option to specify the DNS name of the server whose Active Directory domain you want used by default. If the server becomes unavailable in the future, the Active Directory plug-in automatically falls back to another nearby server in the forest. If this option is unselected, the Active Directory plug-in automatically determines the closest Active Directory domain in the forest.
"Map UID to attribute":??If the Active Directory schema has been extended to store a unique UID (unique user ID) for each user-usually because the Active Directory server has already been configured to support UNIX computers-you can specify the attribute that stores the UID. If this option is unselected, a UID is automatically generated based on Active Directory's standard GUID attribute.
"Allow administration by":??Select this option to specify a list of groups whose members are allowed to do administrative tasks on this computer (for example, install software). Use commas to separate group names in the list. For security, group names must be qualified by the domain name they are from (for example, ADSDomain Admins,IL2Domain Admins). This option is useful if you have desktop administrators who need administrative access but are not domain administrators.
If you want the computer to access the Active Directory domain you just configured, you must make sure Active Directory is enabled in the Services pane.
In addition, you must add the Active Directory domain to a custom search policy in the Authentication or Contacts pane of Directory Access.
If you selected "Authenticate in multiple domains" in step 7, adding the Active Directory forest to a custom Authentication search policy enables this computer to authenticate users from any domain in the forest.
If you deselected "Authenticate in multiple domains," you can add domains individually to the search policy.
Other help topics have instructions for enabling Active Directory service and defining custom search policies.
Note: Certain links that this article refers to may not be available in this context; please consult the relevant product Help guide page on your computer for full access to these links.