Joining Macs systems to Active Directory

My current job has me working in an (almost) all-Mac desktop environment. However, we’re in the curious position of running a predominantly Windows-based backend (precipitated by our use of MS Exchange Server).

windowsmacFor obvious reasons (password expiration being a big one), it makes some sense to join the Macs to Active Directory, yet it took some trial-and-error for me to figure out how to do this.

Here’s my recommended procedure – (note that this procedure is for new system builds; I’ll cover migrating existing users in a future post):

  1. Name each client consistently
    Set the name of your client Mac by going to System Preferences -> Sharing -> Computer Name. I strongly recommend a standardized naming convention that works best for you. In my case, I name the systems after the primary user (scottc, for example) – I prefer this over, say, the serial number or the asset number as it saves you a step of figuring out “OK, I know I need to locate this system, now whose is it and where can I find it?”
  2. Join each client to Active Directory
    You need to use the Directory Utility app to do this – just launch it by using Spotlight, as the app itself is buried in /System/Library/CoreServices/Applications. Double-click “Active Directory.” Note that the Computer ID is, by default, set to the name you specified in step #1 – this is the name that will appear in Active Directory.Enter your domain name – I don’t know about all cases, but I find I have to include “.local” in order for the Mac to find my Active Directory machine.Do NOT hit “Bind” yet!!!
  3. Decide if you want systems set up with mobile accounts
    You want to do this. Trust me. Don’t trust me? Fine, I’ll explain…If you want your users to be able to sign on to their systems whenever they’re outside of the office (i.e. unable to access your Active Directory server) then you need to specify the creation of “mobile accounts.” This will create a permanent account on the Mac whenever someone initially, successfully authenticates against Active Directory. That way, the next time the user signs on to the Mac when it is not within the office network they can still get on to their system.Enable mobile accounts by clicking the small triangle underneath the text fields – this exposes a number of advanced options. Under the “User Experience” tab, check both “Create mobile account at login” and “Require confirmation before creating a mobile account.”
  4. Bind the system to Active Directory
    Hit the “Bind” button. When prompted for a username/password, enter your Active Directory’s administrative account credentials (for example, my user name is ‘administrator’ – specifying the domain isn’t necessary).

That’s it!

Smart I.T. Guy Tip
Before quitting Directory Utility, do yourself a favor and visit Edit -> Enable Root User and specify a complex password that only I.T. admins know. This gives you a way to access the system no matter what and also benefits things like system scanning in systems like Spiceworks.

Now, whenever a user signs on to the Mac successfully, they’ll be asked if they want to create a mobile account – the primary user should select ‘yes’ and, presumably, most others should select ‘no.’

Note that these instructions are current as of Mac OS X v10.10.5.

Read More

.BAT file to delete files older than x days and empty folders

This is a valuable little piece of code – useful for maintaining otherwise unmonitored file repositories. Set this up to be autorun by the Task Scheduler on a predetermined basis. Note that the forfiles command is included with Windows Vista and later and Windows Server 2003 and later.


@ECHO OFF
REM delete any files older than <x> days
forfiles /p <directory> /s /d -<x> /c "cmd /c del /q @PATH"
REM delete empty folders
REM insert 'echo' between /c del to test command
for /f "delims=" %%d in ('dir <directory> /s /b /ad ^| sort /r') do rd "%%d"

Read More