Reasonably Random Rants and Raves

Command Line Knowledge for MacOS: Dealing with Active Directory

Written by

awadelewis

in

Well, we have to play nicely with all of the Windows stuff that is out in the world. In the enterprise, we have to accept that we are going to have to deal with Windows Networking, particularly authentication and authorization services provided by Active Directory.

Apple has improved the integration with Windows Networking over the years but you still have to do a bunch of contortions to get a machine on the network. Note that the following is taken from multiple Apple support sites and some AI assistance.

Joining a machine into an AD domain and configuring it for network authentication requires you to bind the machine to Domain through Directory Services and then configure authentication on the local machine to connect to the AI domain.

1. Bind the Mac to the AD domain

macOS includes the dsconfigad tool (Active Directory connector) which allows you to bind a Mac to an AD domain from Terminal. (Apple Support)

Here’s a typical command (you’ll substitute your values):

sudo dsconfigad -add DOMAIN.COM \
    -computer "Mac-Hostname" \
    -username "BindUser" \
    -password "BindPassword" \
    -ou "OU=Computers,DC=DOMAIN,DC=COM" \
    -force

Explanation of parameters:

  • -add DOMAIN.COM → The AD domain you’re joining.
  • -computer "Mac-Hostname" → The name you want this Mac to appear in AD.
  • -username / -password → Credentials of an AD account with rights to bind computer objects.
  • -ou "…" → The organizational unit in AD where you want the computer object to reside.
  • -force → Optional, for example if it was already bound previously, etc.

Other common flags you may want:

sudo dsconfigad -domain DOMAIN.COM \
     -alldomains enable \
     -groups "Domain Admins,Enterprise Admins" \
     -packetsign require \
     -packetencrypt require

This enables all domains in the forest, adds certain AD groups to the Mac’s “admin” group, and enables packet signing/encryption for LDAP/AD traffic. (Apple Support)

2. Enable network users to log in at the login window

Once the Mac is bound, you need to allow domain users (network accounts) to login at the macOS login window. There are GUI steps (System Preferences → Users & Groups → Login Options → “Allow network users to log in at login window”), but we can achieve this via command line/config defaults.

Command-line approach

You can use the defaults command to set a preference so that network users are allowed to login. Example:

sudo defaults write /Library/Preferences/com.apple.loginwindow ENABLEDIRLOGIN -bool true

This sets ENABLEDIRLOGIN to true, enabling directory (network/AD) users at login. (Note: this key has been used historically, though exact availability may vary across macOS versions.)

Also ensure that the login window is set appropriately (e.g., “Name & Password” rather than “List of Users”). For example:

sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool true

Then you may want to restart the loginwindow or reboot:

sudo killall loginwindow

Mobile/local account caching and mobile user accounts

This is a an important step that some sites wrongly suggest as optional. You really, really, really, really want to use dsconfigad to enable domain users to have mobile accounts. This will cache credentials locally and will permit users to login when offline from the enterprise network. Otherwise you won’t be able to login. We also strongly recommend that you do keep a separate local user for when things go wrong.

Here’s how to enable mobile accounts in MacOS via dsconfigad:

sudo dsconfigad -mobile enable -mobileconfirm disable -localhome enable

(from the gist example) (Gist)

3. Verification & Pitfalls

  • After binding you can check current settings:
dsconfigad -show

This will display the domain, computer account, OU, mobile account settings etc. (Gist)

  • Make sure DNS is correctly configured: the Mac must be able to resolve the domain controllers for your AD domain. Apple’s documentation emphasizes DNS/Kerberos/LDAP for AD integration. (Apple Support)
  • If users cannot login:
  • Check that “Allow network users to log in at login window” is indeed enabled (GUI or defaults).
  • If after login attempt the screen just sits/spins/shakes, it may be waiting on network/LDAP/Kerberos auth. Example case discussed in Apple forums. (Apple Support Community)
  • LocalAdmin vs domain group membership: If you want certain AD groups to be local admins (e.g., “Domain Admins”), you’ll include that in the binding via -groups flag. Otherwise domain user logins may succeed but the user may lack local rights.
  • For macOS versions and AD interactions: some behaviors may change from version to version (especially around caching or login window UI). Always test in your environment.

CAVEAT: We admit to using AI tools to research and edit this post.

Selah.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts