Configure your macOS computer so IU users can log in with an IU username and passphrase

On this page:

Overview

  • These instructions are intended only for Macs connected via campus Ethernet. Currently, Macs connected via wireless will not be able to authenticate to the domain.
  • This procedure describes how to allow multiple users access to a single Mac, and thus is not recommended for personally owned systems or systems accessed by only one person.

Configure the computer

To allow anyone with an IU account to log into the computer, configure it to join IU's ADS domain:

  1. On your computer, log into a local administrative account and make sure the operating system is fully up to date. Once it is, open System Preferences.
  2. In the list of settings icons, click Users & Groups.
  3. In the "Users & Groups" window, click the padlock to unlock settings, if necessary, and then again authenticate with your administrative account.
  4. Click Login Options, and then Join.... In the sheet that appears, click Open Directory Utility... .
  5. In the window that opens, click the padlock to unlock settings, if necessary, and provide the administrative account credentials. Under the Services tab, double-click Active Directory.
  6. In the sheet that appears:
    • For the Active Directory Domain, enter ads.iu.edu.

      For the Computer ID, enter a computer name that complies with the ADS domain naming convention. This convention requires that names have:

      1. A two-character campus code followed by a dash:
        • BL for Bloomington
        • EA for East
        • FW for Fort Wayne
        • IN for Indianapolis
        • KO for Kokomo
        • NW for Northwest
        • SB for South Bend
        • SE for Southeast
        • IU for university-wide
      2. A two-character department code followed by a dash
      3. A unique computer name up to seven characters in length, with no spaces

      For example, on the Bloomington campus, a UITS departmental computer named "NAME" would be renamed "BL-UITS-NAME".

  7. Click Bind.... If prompted, enter an administrative password. When prompted for the password of a Network Administrator, enter any IU username and passphrase.
  8. On the window's bottom left, click the arrow to expand the advanced options section.
    • Under the User Experience tab, check Create mobile account at login. Make sure Require confirmation before creating a mobile account is not checked..
    • Under the Administrative tab, if you want to give administrative privileges to network users, click Allow administration by:. Click + (the plus sign) and then enter the usernames of ADS groups you'd like to give administrative access. Use the format ADS\groupname.
  9. Click OK, and then, if it's not grayed out, click Apply.
  10. Return to the "Users & Groups" or "Accounts" system preferences window, select Allow network users to log in at login window, and then click Options....
  11. Unless you want to allow anyone with a University account to access your computer, select Only these network users:. Click + and then search for the ADS user or group you want to add; click Select. When you're done adding users and groups, click Done.
    Important:
    Limiting logins to certain groups and users does not work reliably unless you're using macOS.

Security concerns

Allowing network users to log into your computer will require you to take additional security precautions. In addition to maintaining better physical security, be careful about which services you turn on from the Sharing system preference. If you've turned on File Sharing, Screen Sharing, Remote Login, Remote Management, or Remote Apple Events, any IU user will be able to access your computer by these methods. If you do need to enable one of these services, you can limit its access to specific users or groups.

This is document aziv in the Knowledge Base.
Last modified on 2024-04-17 17:56:01.