Please help:adding a mac PC to the windows domain at work

Discussion in 'Mac OS X Server, Xserve, and Networking' started by john0026, May 10, 2008.

  1. macrumors newbie

    Jun 5, 2007
    I am trying to add our mac PC's to the windows domain at work.I am little confused on where to start from. do i need Mac OS X 10.5 leopard server to do this or can do this without mac osx server.we are using VMware esx, windows server 2003 on the corp environment. are there any 3rd party tools to get this accomplished.
  2. macrumors Penryn


    Mar 23, 2005
  3. macrumors 6502


    May 12, 2007
    Funny you should ask; I was just playing around with this for the first time today. While it's fresh in my mind, I'll walk you through the steps. The following instructions apply to Leopard--I'm not sure if this would apply to earlier versions of OS X:

    1) From Finder, select Go-->Utilities from the menu
    2) Run "Directory Utility"
    3) Click the little padlock, and enter a Mac admin's credentials to unlock it
    4) Click on "Show Advanced Settings"
    5) When the toolbar appears, select "Services" and then select "Active Directory" checkbox
    6) Next, select "Directory Servers" from the toolbar, then click the "+" button to add your AD domain server
    7) In the top drop-down box "Add a new directory of type," select "Active Directory".
    8) Enter the name of your domain (I used FQDN nomenclature as in ""), then enter the username and password of a Domain Admin that is authorized to add computers to the AD directory and click OK
    9) In the directory servers list, you should now see your domain with a little green light next to it and the message "This server is responding normally."
    10) Now log off.
    11) If the Mac is configured to show a list of users at login, select "Other" at the bottom. Enter your domain logon credentials: "mydomain\username" and your password. The machine will pause a minute to create new user folders, and then you're in AND you have access to all of your network shares without entering your name and password again.

    That's it! What's cool is that any domain user can now log on to the machine without a local account being set up first.

    Some caveats:

    You will have trouble if the domain userID happens to match the short name of a local Mac account, e.g., if there is a local account named "Rich" and a domain user "mydomain\Rich" this will not work properly--it won't create new user folders for the domain user.

    If you ARE running Leopard, make sure you're up to date. I was reading some complaints in another forum that AD integration was broken in Leopard prior to 10.5.2. I haven't personally verified that this is true, but just a word to the wise...

    Hope this helps, have fun!
  4. thread starter macrumors newbie

    Jun 5, 2007
    Thanks videoF very useful info i would try it out on monday and let u know what happens
  5. macrumors 68030


    May 30, 2002
    Toronto, Ontario, Canada
    Mac on Windows Domain

    Indeed, Wicked info! Bookmarking this info for future reference. Didn't know that this was possible!
  6. macrumors regular

    Mar 23, 2006
    AD-OD Whitepaper

    The best site for information about this is:

    I have used their whitepaper (found here) to connect Macs to AD 2003 in various environments.

    If you have all of your data on a Windows Managed SAN with Distributed File Sharing & SMB Signing configured & you Macs are running 10.4 then you may have like to try; AdmitMac.

    (Apparently 10.5 can access the above security methods but I haven't tested this follow due to the below).

    If you are looking at using 10.5 & have a large network be warned as 10.5 queries every DC on the domain before it allows you to login, I am currently working at a Global Company with some 50 dc's located across the globe & login can take 6 - 10 Minutes.

    I am awaiting for 10.5.3 to resolve this.
  7. macrumors newbie

    May 13, 2008
    Calgary, Alberta
    Their is realy easy software to use, if you google, "Adding Mac to Active Directory Client lists" and it is like the second or third one.
  8. Guest

    Sky Blue

    Jan 8, 2005
    under Advanced options I would check 'Create mobile account at login' and 'prefer this domain server'.

    Why not just add in the preferred DC?
  9. macrumors 6502


    May 12, 2007
    Just out of curiosity (I'm still learning this stuff), what does the "create mobile account" setting do, exactly?
  10. macrumors regular

    Mar 23, 2006
    It creates an account a local account on your Mac that checks the server for your username & password details when you login (if available & the cached creadntials if not).

    By using this, Laptop users can login when 'off network' but will authenticate to the network when back in the office.
  11. Guest

    Sky Blue

    Jan 8, 2005
    What he said :)
  12. macrumors regular

    Mar 23, 2006
    I have,,, it still queries them.

    This is similar to the behavior of 10.3.something, but I have found that 10.5.3 should sort it.

    Can't wait to test it though!
  13. macrumors newbie

    Jun 9, 2008
    need help

    hey guys ,,

    neeeeeed your help guys ,, iam about to creat a ms domain for a company but they want to join 5 MAC pc to the domain, and also they want to creat a redirection path to a folder as backup for each user .. so i know how to create ms domain and join the windows pc users but i dont even know anything about MAC Pc .. anybudy could help me in this guys
  14. Guest

    Sky Blue

    Jan 8, 2005
    Did you even read the thread?
  15. macrumors newbie

    Jun 9, 2008

    yes now i did :eek: sorry..
  16. macrumors newbie

    Jun 17, 2008
    Permissions Error

    Hi All,

    I'm trying to add my mac to a Windows network at work. I've followed the above steps (Thanks!! They're terrific)... but i'm getting this error when I go through the "add active directory" part:

    An unexpected error type - 14120 (eDSPermissionError) occured.

    I think maybe this means my mac needs to be added to the windows network permission list or something?? Somewhere? Anyone have any idea about this at all??

    Thanks!! :D
  17. macrumors newbie

    Jul 22, 2008
    Sydney Australia
    possibly an id10t error

    I have a MAC G5 we are using to play around adding to the MS active directory. for about a week it has been absolutely sweet. following the steps in this thread, we have it sitting on the domain, accessing the network drives, talking to the exchange server, using the network printers (inlcuding a canon multifunction with some funky custom accounting software - took me forever to work that one out) but in the last couple of days it hasn't been playing ball. It keeps loosing its connection to the domain. At frist I thought the issue was a dodgy ethernet cable, but it isn't, then i suspected the network switch. again no. At the login screen the other user option comes and goes as connection with the server is gained or lost. usually this happens to quickly to log on. If i log onto the Mac's local admin account the directory utility says that the server isn't responding. So the fault may be with the server, but that seems a little strange given it was working quite happily for more than a week. I have looked everywhere I can think of to see if I have overlooked something but I am not sure where I should be looking. I have been a long time Mac user at home but have never needed to network one before so i am sort of following my nose. I do have admin access to the AD but I am no systems engineer so I am sort of following my nose their as well. I did get our regular engineer to check the AD but he isn't a mac person so probably wouldn't know what to look for either. If we can get this working somewhat stably then the number of macs we use will hopefully increase.
  18. macrumors newbie

    Jul 30, 2008
    Check Machine Name

    Make sure the machine name does not have an underscore '_'. I received the same message but then realized the underscore in my machine name.
  19. macrumors newbie

    Sep 16, 2007
    Thanks for the post, I was able to get a test machine connect to AD. Any tips on how to move the current home directory (files and settings) to the new one? Would it be the same steps as moving the home dir to another hard drive?
  20. macrumors newbie

    Jul 30, 2008

    Sorry, I am not sure. I am new to Mac.
  21. macrumors newbie

    Sep 18, 2008
    no "other" user

    What if you don't get a "other" user on the log in screen? Am I missing something obvious and simple or is this a 10.5.4 bug?
    Binding to AD was fine, how can I log in?
  22. macrumors 6502a

    Aug 11, 2008
    Not sure why it's not showing up.. unless.. you need to *reboot* your mac to make it work with the AD login provider.

    We have our macs at work set to ask for username and password in the more traditional network PC manner.

    To set this:
    System Preferences > Accounts > Login Options > "Display Login Window As:" and tick "Name and Password".
  23. macrumors newbie

    Jul 30, 2008
    Check the settings under 'Directory Utility' and 'Active Directory'. We had an issue with the mobile account.

    We have:

    Create mobile account at login 'checked'
    Require confirmation before creating a mobile account 'unchecked'
    Force local home directory on startup disk 'checked'
    Use UNC path from AD to derive network home location 'unchecked'
    Default user shell 'checked' with '/bin/bash'

    Hope this helps.
  24. macrumors newbie

    Sep 18, 2008
    I updated to 10.5.5 at home, next time I was at that location "other" showed up. I admit I don't understand it exactly, as I click on it, it required my AD username but my Mac password? Then my Mac account loaded but I had the access to the web that I wanted. Hmmmm Worked out exactly like I wanted. I only wanted the ability to surf the web and the IT people told me I needed to add my computer to the domain. Which I did myself. Thanks though, it probably won't work again Monday.
  25. macrumors newbie

    Oct 6, 2008
    I am new to using MACs and know nothing - there are brilliant tips guys - got my MAC on the AD domain now. Couple of quesitons - hope someone can help!

    If I logon to the MAC with an AD user account and open Finder and go to the "Shared" tab, I see all of the shares that are available on the authorising domain controller, including my user accounts share (listed ith a $ at the end). How can I hide these shares?

    I would like to map some drives and provide access to printers currently being delivered by my domain controllers, in the same way as my PCs work. How can I do this?

    Is it possible to create a policy that restricts access to certain components on the MAC dependent on user logon permissions - again in the same way as PC work? Is this a MAC policy or would it be an AD policy

    Many thanks again for helping the Newboy!!

Share This Page