Adding a Mac to a Delegated OU

Last updated: January 30, 2023
Audience: IT Staff / Technical

Like adding a (Windows) computer to a Delegated OU, adding a Mac is a two step process, which can be performed manually using mainstream tools or automated using whatever methods you prefer. If this is your first time adding a Mac to an OU, then first read the ‘What you need to know first’ section.

  1. Computer account creationPre-create a new computer account via Active Directory Users & Computers (ADUC) or your preferred computer account creation tool in the desired OU within your delegated OU prior to actually joining the Mac to the NETID domain. You will not be able to join the Mac to the NETID domain without first creating the computer account as you do not have permissions to create the computer account in the default container for the NETID domain. If you use ADUC to pre-create the account, you can specify which user accounts are allowed to join the Mac with the same NetBios name as the pre-created computer account. When creating the computer account, please use a name within your computer namespace reservation(s).
  2. Join the MacThe details required to join the Mac depend on the Mac OS version and which Directory plug-in you use. Prior to MacOSx v10.3.3, there was no Active Directory plug-in, so you used the LDAPv3 plug-in.Active Directory plug-in walkthrough: http://4sysops.com/archives/how-to-join-a-mac-os-x-computer-to-active-directory/Configuration options you’ll need to supply/change in that walkthrough:

    Active Directory Domain=netid.washington.edu
    Computer OU=<the distinguished name of your delegated OU> e.g. ou=pottery,dc=netid,dc=washington,dc=edu
    Mappings:
    Map UID to attribute: uidNumber

    LDAPv3 plug-in walkthrough: http://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins/ldapauthorization-leopard

    Configuration options you’ll need to supply/change in that walkthrough:

    Search Base:
    Search Base Suffix=dc=netid,dc=washington,dc=edu
    Connection:
    Distinguished Name=cn=<user’s UW NetID>,ou=uwnetid,dc=netid,dc=washington,dc=edu
    *Enable* “Encrypt using SSL”
    *Enable* “Use custom port”=636
    Search & Mappings:
    Ignore all changes, except:
    Add samAccountName to RecordName
    Add uidNumber to UniqueID.

  3. Configure Encrypted Session TrafficWhile the Mac OS GUI claims it will enable LDAP signing by default, in practice, it doesn’t. This means that all the traffic between the Mac and AD is unencrypted, in the clear. That’s not a good thing, especially when you consider that the user’s password is part of that traffic, and at some point the NETID domain will stop accepting unencrypted sessions.However, there is a solution.If you use Apple’s dsconfigad command line tool with the switch “-packetencrypt ssl”, you can tell the Mac OS to use LDAPS (i.e. employ LDAP over TLS/SSL). This protects the Mac OS client’s authentication traffic. This dsconfigad option can be used at the time of Mac computer domain join or it can be used after domain join to mitigate this issue.
  4. Fix the dnsHostName attribute valueIf the dnsHostName value is *.netid.washington.edu, you should fix it to be a value which actually resolves to your Mac computer. Here’s an example PowerShell script which would allow you to do that across all the Macs in your OU.

import-module activedirectory

$macs = get-adcomputer -server netid.washington.edu -ldapfilter “(&(dnshostname=*.netid.washington.edu)(operatingSystem=Mac OS X))” -SearchBase “OU=pottery,OU=Delegated,DC=netid,DC=washington,DC=edu”

foreach ($mac in $macs) {

$netBiosName = $mac.Name

$dnsHostname = “$netBiosName.clients.uw.edu”

set-adcomputer -identity $mac -DNSHostName $dnsHostname

write-host $dnsHostname
}

If you don’t pre-create the computer account, upon domain join, you will be subject to the Unclaimed Computers OU Group Policy settings which are not pleasant.

What You Need To Know First

Prior to joining your first computer to a delegated OU, you will need to know a couple things.

Know the computer naming guidelines

These guidelines are detailed in the OU Practices document, but in a compact form, the NETID computer naming guidelines are:

  • You own any name inside your recognized namespace(s), and we strongly encourage you to use names within that namespace
  • First come, first serve for any name outside a recognized namespace. Names that infringe on a namespace aren’t permitted.
  • You can’t use a DNS suffix of netid.washington.edu, and we suggest that you continue to use whatever DNS zone you currently use – to do this we have a Powershell script to manage AD members with Mac OS X. The download is here: Script fix-MacDnsHostnames.
  • You can optionally use our DDNS for your workstations
  • If you need custom SPNs, send in a request and we’ll make it happen

How can I add a computer account without a computer in the NETID domain?

You might be caught in this dilemma on your first computer. See our advice in the OU Admin Tools and Tips document.

Creating a Mobile Account

There is an option to “Create mobile account at login.” Customers have reported being unable to log in using cached credentials. That is, after they leave the campus network and reboot the computer, they are unable to log into their mobile (NETID domain) account. We don’t have a definitive explanation for the cause, but the following steps seem to prevent the issue.

  1. Join the Mac to the domain following the above instructions making sure to tick the checkbox for “Create mobile account at login” (this must be done on campus in order to access the domain’s servers)
  2. Log into the Mac using the domain account, again while on campus
  3. Reboot the Mac, log on once again with the domain account while on campus

It may also be necessary to make the domain account an Admin on the Mac. At this point a login from off campus should work.