Skip to main content
macOSintermediate

How to Join a macOS Device to Active Directory

Learn how to bind a Mac to Active Directory using System Settings and the dsconfigad command-line tool, configure mobile accounts, and troubleshoot Kerberos.

7 min readUpdated April 2026

Want us to handle this for you?

Get expert help →

Binding a Mac to Active Directory (AD) lets domain users sign in with their corporate credentials, inherit group policies for permissions, and use Kerberos single sign-on against Windows file shares and intranet sites. This guide walks you through both the graphical and command-line methods, plus the prerequisites and troubleshooting steps that trip people up most often.

Before You Begin

You will need:

  • An administrator account on the Mac
  • AD credentials for a user with rights to join computers to the domain (or a pre-created computer object)
  • The fully qualified domain name (e.g., corp.example.local)
  • The distinguished name of the OU where the computer object should live (e.g., OU=Macs,OU=Workstations,DC=corp,DC=example,DC=local)
  • DNS on the Mac pointed at servers that can resolve AD SRV records
  • Time synchronization within 5 minutes of the domain controllers

A Quick Note on the Modern Alternative

Before you bind, know that Apple has been deprecating traditional AD binding for several macOS releases. Most new deployments skip binding entirely and instead use an MDM (Jamf Pro, Intune, Kandji, Mosyle) combined with Platform SSO and a Kerberos SSO extension, or third-party tools like Jamf Connect and NoMAD. Those approaches provide password sync, Kerberos tickets, and account provisioning without the fragility of a directory bind. If you are starting fresh, evaluate those options first. The steps below remain valid for existing AD environments and legacy workflows.

Step 1: Verify DNS and Time

Open Terminal from /Applications/Utilities and confirm the Mac can resolve the domain:

dig SRV _ldap._tcp.dc._msdcs.corp.example.local

You should see one or more domain controllers in the ANSWER section. Next, force a time sync against a DC:

sudo sntp -sS dc01.corp.example.local

If either command fails, fix DNS and NTP before continuing — the bind will not succeed otherwise.

Step 2: Join via System Settings (GUI Method)

  1. Open System Settings > Users & Groups
  2. Scroll to Network Account Server and click Edit (or Join)
  3. Enter your AD domain (e.g., corp.example.local) and click OK
  4. When prompted, provide:
    • Client Computer ID — the hostname for the AD computer object (e.g., MAC-JSMITH-01)
    • AD Admin User and Password — credentials authorized to join the domain
  5. Click OK and wait for the bind to complete

For more granular control — custom OU, mobile account defaults, admin group mapping — open Directory Utility instead:

  1. In Terminal, run open /System/Library/CoreServices/Applications/Directory\ Utility.app
  2. Click the lock icon and authenticate
  3. Double-click Active Directory
  4. Fill in the domain, computer ID, and expand Show Advanced Options to configure user experience, mappings, and administrative group assignments

Step 3: Join via dsconfigad (CLI Method)

For scripted deployments and MDM scripts, dsconfigad is the preferred tool. A typical bind command looks like:

sudo dsconfigad -add corp.example.local -username adjoiner -password 'REDACTED' -computer MAC-JSMITH-01 -ou "OU=Macs,OU=Workstations,DC=corp,DC=example,DC=local"

After the initial bind, apply user experience settings:

sudo dsconfigad -mobile enable -mobileconfirm disable -localhome enable -useuncpath disable -protocol smb -shell /bin/zsh

Then map AD groups to local administrator rights:

sudo dsconfigad -groups "CORP\Mac Admins,CORP\Domain Admins"

Verify the bind succeeded:

dsconfigad -show

You should see the domain, computer ID, and all the options you configured.

Common dsconfigad Flags

FlagPurpose
-add <domain>Bind the Mac to the specified AD domain
-removeUnbind from the current domain
-forceSkip domain controller check (useful for offline)
-computer <name>Set the AD computer object name
-ou <DN>Place the computer object in a specific OU
-mobile enableCreate mobile (cached) accounts at first login
-localhome enableStore home directories on the local disk
-useuncpath disableIgnore AD-defined UNC home paths
-protocol smbSet network home protocol
-shell <path>Default shell for AD users
-groups "<list>"Comma-separated AD groups granted local admin rights
-packetsign allowLDAP signing policy (allow/require/disable)
-showDisplay the current AD binding configuration

Step 4: Verify Kerberos and Login

Log out and log back in as an AD user. Once signed in, open Terminal and check your Kerberos ticket:

klist

You should see a krbtgt ticket issued by your domain's realm. If no ticket exists, request one manually:

kinit [email protected]

Note that the realm must be uppercase. A successful kinit followed by klist confirms the Mac is fully authenticated against AD.

Unbinding

To remove the Mac from AD, run:

sudo dsconfigad -remove -force -username adjoiner -password 'REDACTED'

The -force flag allows unbinding even when the domain controllers are unreachable. Afterward, delete the stale computer object from Active Directory Users and Computers and reboot the Mac.

Troubleshooting

"Unable to locate the domain"

DNS is not resolving SRV records. Confirm /etc/resolv.conf or the DNS servers in System Settings > Network point at servers that can answer for <domain>. Test with dig SRV _ldap._tcp.dc._msdcs.<domain>.

"Clock skew too great" or Kerberos error 37

The Mac's clock is more than 5 minutes off from the DC. Run sudo sntp -sS <dc-hostname> to force a sync, then retry. Point the Mac at an internal NTP server that tracks the DCs.

Bind succeeds but login hangs

Usually a missing mobile account or unreachable UNC home path. Re-run with -mobile enable -localhome enable -useuncpath disable to keep the home directory local.

Password changes in AD do not sync to the Mac

The keychain password is tied to the local password at account creation. When an AD password is changed off-device (through OWA or a Windows PC), the login keychain will need to be updated or reset on next sign-in. This is a known limitation of traditional AD binding and one of the reasons Jamf Connect and Platform SSO exist.

klist shows no tickets

Run kinit user@REALM with the realm in uppercase. If kinit returns "Client not found in Kerberos database," confirm the user account exists and is not disabled in AD.

Frequently Asked Questions

Find answers to common questions

Yes, dsconfigad and Directory Utility still function on current macOS releases, but Apple has been quietly deprecating traditional directory binding for years. Most organizations now deploy Macs via an MDM (Jamf, Intune, Kandji) and use Platform SSO with a Kerberos SSO extension, or third-party tools like Jamf Connect or NoMAD, to authenticate against AD without a full bind. Binding is still valid for smaller environments and legacy workflows, but expect it to become unsupported in future macOS versions.

The Mac must be able to resolve your Active Directory domain's SRV records — specifically _ldap._tcp.dc._msdcs.<domain> — which means its primary DNS servers should point at your domain controllers (or at DNS servers that forward <domain> queries to the DCs). You can verify with dig SRV _ldap._tcp.dc._msdcs.example.local. If DNS resolution fails, the bind will fail with an "unable to locate domain" error.

Kerberos requires client and server clocks to be within 5 minutes of each other. Force a time sync against a domain controller with sudo sntp -sS dc01.example.local, then retry the bind. Verify the Mac is using the correct time server under System Settings > General > Date & Time, and consider pointing it at your internal NTP server so it stays in sync going forward.

A mobile account caches the AD user's credentials and home directory locally so they can log in even when disconnected from the domain network — essential for laptops. Enable it during bind with dsconfigad -mobile enable -mobileconfirm disable. Without a mobile account, a user who takes the laptop off the corporate network will be unable to sign in because the Mac cannot reach a domain controller to validate credentials.

Use the -groups flag with dsconfigad to map AD groups to the local admin group. For example: sudo dsconfigad -groups "DOMAIN\Mac Admins,DOMAIN\Domain Admins". Members of those AD groups will be able to authenticate as administrators, install software, and run sudo commands. You can also set this via Directory Utility > Active Directory > Administrative.

Run sudo dsconfigad -remove -force -username <admin> -password <pw>. The -force flag lets you unbind even if the Mac cannot reach a domain controller, which is useful for offline or decommissioned machines. After unbinding, remove the computer object from AD Users and Computers manually, delete any leftover mobile accounts under Users & Groups, and reboot the Mac.

Need Professional IT & Security Help?

Our team of experts is ready to help protect and optimize your technology infrastructure.

Learn About Risk AssessmentExplore vCISO Services

Related Articles

How to Capture and Analyze Network Traffic on macOS With tcpdump and Wireshark

Learn how to capture and analyze network traffic on macOS using the built-in tcpdump command, the pktap pseudo-interface, and Wireshark for deep packet inspection.

Read More →

How to Use the macOS Firewall (pf) to Restrict Network Access

Learn how to configure both the macOS Application Firewall and the low-level pf packet filter to restrict inbound and outbound network access on macOS.

Read More →

How to Create and Deploy a Configuration Profile (.mobileconfig) on macOS

Learn how to create, sign, and deploy macOS configuration profiles (.mobileconfig) using Apple Configurator 2, iMazing Profile Editor, or hand-written XML.

Read More →
Back to macOS