You can enable or disable Active Directory user accounts on a computer that is configured to use Directory Utility's Active Directory connector. Users with mobile accounts can log in using their Active Directory credentials when the computer is not connected to the Active Directory server.
The Active Directory connector caches credentials for a user's mobile account when the user logs in while the computer is connected to the Active Directory domain. This credential caching does not require changing the Active Directory schema.
If the Active Directory schema has been extended to include Mac OS X managed client attributes, those mobile account settings are used instead of the Active Directory connector mobile account setting.
You can have mobile accounts created automatically of your can require that Active Directory users confirm creation of the mobile account.
- Open System Preferences and click Users & Groups
- If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
- Click Login Options, then click Join or Edit.
- Click Open Directory Utility.
- If the lock icon is locked, unlock it by clicked it and entering the name and password of an administrator.
- Click Services.
- In the list of services, select Active Directory and click the Edit (/) button.
- Click Show Advanced Options if the advanced options are hidden
- Click User Experience, then click "Create mobile account at login," and optionally click "Require confirmation before creating a mobile account."
- If both options are selected, each user decides whether to create a mobile account during login. When a user logs in to a Mac OS X using an Active Directory user account, or when logging in as a network user, the user sees a dialog with controls for creating a mobile account immediately.
- If the first option is selected and the second option is unselected, mobile accounts are created when users log in.
- If the first option is not selected, the second option is disabled.
- Click OK.