Apple Macs on a domain


(Ron Fast) #1

So after joining a macbook to our domain it appears that it’s not possible to log in using your domain creds when off site. it works great while onsite and connected to the WiFi. I’m new to Macs so is there a way of logging on when you are offsite like PCs do?


(Ben Fifield) #2

Yep, you need to set up the account as a Mobile Account - https://support.apple.com/kb/PH25671?locale=en_US

If you are using an MDM, you can usually set it up to do this automatically for all new logins in the same place as you configure your AD Bind.


(Joe Benson) #3

Make sure to use the -mobile enable and -mobile confirm disable flags on dsconfigad when you join it to AD, and it will transparently create domain accounts when you first log in. You’ll still need to be connected to the network directly or via a VPN before your first login for any given account.

https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/dsconfigad.8.html


(Nick B Nicholaou) #4

Best is just to not join Macs to the domain. The only real benefit is that you can force periodic password changes, which now even the FTC says not to do.


(Ron Fast) #5

This worked perfectly. thank you.


(Optimus Prime) #6

Can you not also leverage access control for Windows shares? I think that’s a pretty big benefit on larger networks.


(Nick B Nicholaou) #7

You don’t need the computer to be in AD to accomplish that. We do it with an Apple Script that runs at login. Email me (nickn@mbsinc.com) if you’d like a copy you can modify.


(Russ Taylor) #8

I’m just in the process of migrating a lot of services of MacOS Server to a Synology RackStation running Active Directory. Finding it a steep learning curve as it is decades since I last did scripting and coding and whilst I can get AD users to login, mounting their home directories from the Synology server is proving to be a serious challenge.