Binding a Mac to an AD is fairly straight forward. Most Mac Admin’s worth their salt, know how this is done, many know how to do this via the command line. Once your Mac is bound, authentication is easy, local authentication that is. But what if you want to use your secure AD credentials over an SSH or Apple Remote Desktop connection? Well thats when things need a bit more configuration. Having recently deployed a series of servers with this configuration I figured I would share some of the commands needed to get this configured correctly.
The way to accomplish ARD AD authentication is by nesting an AD group inside a local group. You can create any group you want but for the sake of this article we will use ARD_ADMIN. I need to credit this article. The UNT Apple Managers group is a valuable and often looked over internet resource. I highly recommend checking out their group articles and tutorials.
sudo dscl . -create /Groups/ARD_ADMIN
sudo dscl . -create /Groups/ARD_ADMIN PrimaryGroupID "530"
sudo dscl . -create /Groups/ARD_ADMIN Password "*"
sudo dscl . -create /Groups/ARD_ADMIN RealName "ARD_ADMIN"
sudo dscl . -create /Groups/ARD_ADMIN GroupMembers ""
sudo dscl . -create /Groups/ARD_ADMIN GroupMembership ""
sudo dseditgroup -o edit -a "UNT\SomeGroupName" -t group ARD_ADMIN
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -activate -configure -access -on -privs -all -users ARD_ADMIN -restart -agent
cd /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/
sudo ./kickstart -configure -clientopts -setdirlogins -dirlogins yes
The process here is pretty straight forward. You would add a user to SSH, active directory or otherwise using the System Preferences, Sharing preference pane. But what if the admin account in question is hidden? Hidden accounts can be great for system admins who want to hide a backup or admin account on their workstation
However there is no way to add a user that is hidden, to get around this you can un-hide the user using this command
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool NO
Once done, you can add the user via System Preferences -> Sharing, the Remote Login option should have a spot for “Only these users”.
If you’ve properly joined the machine to the domain, you should be able to select the group from the “+” sign. To re-hide any formerly hidden user accounts run this command
sudo defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
Apple has its own write up on how to authenticate users via active directory credentials.
System Preferences
Directory Utility (Active Directory)
Command line (advanced)
If you’re familiar with using Terminal and the command line, you can add network users or groups to the local admin group using the dseditgroup command in Terminal. The following example adds a network user to the admin group:
dseditgroup -o edit -n /Local/Default -u localadmin -p -a networkuser -t user admin
In this example, “localadmin” is the name of a local administrator account on the workstation (you’re prompted for this account password) and “networkuser” is the short name of the network user.
As you can tell there are many ways to accomplish administration, of your Mac via an active directory user account. Locally, via ARD / VNC and SSH. A few things to toss in, in the event that you run into some roadblocks with some of the terminal commands
To add a single Active Directory user to the local ard_admin group, do not use dscl to add or delete individual users. Use dseditgroup with the -a (to add) or -d (to delete) options.
sudo dseditgroup -o edit -a EUID -t user ard_admin
Remember the man pages for the Kickstart command are hidden. You can not just type “man kickstart” in terminal, this will not work. You can access this man page and others using the following commands:
man /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart
man dscl
man dseditgroup
Active Directory authentication doesn’t always work so you want to be sure that you have a local admin account waiting in the wings in the event that something goes south with the AD bind to the Mac.
We have assisted many businesses in implementing MDMs, developing custom security policies and procedures, and redesigning their networks.The list goes on and on. Contact us today and see how we can help you too.
Contact SalesWe are a remote and fully distributed, Nationwide Apple focused MSP serving Washington DC, Philadelphia, New York, Chicago, San Francisco, San Diego & more.
We focus on providing top notch Mac Support for small to mid-sized businesses. Contact us, and learn how we can help your company.
© Grove Technologies is a registered service mark trademark of Grove Technologies. Privacy Policy | Terms of Service. Cookie Preferences