Map The Group ID, Primary GID, And UID To An Active Directory ...

• Apple
• • Mac
  • iPad
  • iPhone
  • Watch
  • AirPods
  • TV & Home
  • Entertainment
  • Support
  • Where to Buy

Directory Utility User Guide Open Menu Close Menu

• Communities

macOS Tahoe 26 macOS Sequoia 15 macOS Sonoma 14 macOS Ventura 13 macOS Monterey 12 macOS Big Sur 11.0 macOS Catalina 10.15 macOS Mojave 10.14 macOS High Sierra Select version: macOS Tahoe 26 macOS Sequoia 15 macOS Sonoma 14 macOS Ventura 13 macOS Monterey 12 macOS Big Sur 11.0 macOS Catalina 10.15 macOS Mojave 10.14 macOS High Sierra Modifying this control will update this page automatically Search this guide Clear Search Table of Contents

Directory Utility User Guide

• Welcome
• Intro to Directory Utility
• Open Directory Utility
• Configure Open Directory access
• LDAP directories
  • Configure LDAP directory access
  • Change LDAP directory access
  • Set up authenticated binding for an LDAP directory
  • Change the LDAP connection security policy
  • Enable LDAP bind authentication for a user
• Active Directory
  • Integrate Active Directory
  • Configure domain access
  • Set up home folders for user accounts
  • Specify a preferred server
  • Change privileges
  • Unbind from a server
• Search policies, records, and attributes
  • Define search policies
  • Advanced search policy settings
  • Manage records and attributes
• Copyright and trademarks

On a computer that’s configured to use Directory Utility’s Active Directory connector, you can specify an Active Directory attribute to map to the group ID (GID), primary group ID (GID), and unique user ID (UID) attribute in macOS.

Usually, the Active Directory schema must be extended to include an attribute that’s suitable for mapping to the GID, primary GID, and UID:

• If the Active Directory administrator extends the Active Directory schema by installing Microsoft’s Services for UNIX, you can map the following:

  • GID to the msSFU-30-Gid-Number attribute

  • Primary GID to the msSFU-30-Gid-Number attribute

  • UID to the msSFU-30-Uid-Number attribute

• If the Active Directory administrator manually extends the Active Directory schema to include RFC 2307 attributes, you can map the following:

  • GID to the gidNumber attribute

  • Primary GID to the gidNumber attribute

  • UID to the uidNumber attribute

• If the Active Directory administrator manually extends the Active Directory schema to include the macOS gidNumber, PrimaryGroupID, and UniqueID attributes, you can map the following:

  • GID to the gidNumber attribute

  • Primary GID to the PrimaryGroupID attribute

  • UID to the UniqueID attribute

If mapping of the GID, primary GID, and UID is disabled, the Active Directory connector generates a GID, primary GID, and UID based on Active Directory’s standard GUID attribute.

Important: With the advanced options of the Active Directory connector, you can map the macOS unique user ID (UID), primary group ID (GID), and group GID attributes to the correct attributes in the Active Directory schema. However, if you change these settings later, users might lose access to previously created files.

Open Directory Utility for me

1. In the Directory Utility app on your Mac, click Services.

2. Click the lock icon.

3. Enter an administrator’s user name and password, then click Modify Configuration (or use Touch ID).

4. Select Active Directory, then click the “Edit settings for the selected service” button .

   If the advanced options are hidden, click the disclosure triangle next to Show Options.

5. Click Mappings.

6. To map an Active Directory attribute to the GID in group accounts, select “Map group GID to attribute,” then enter the name of the Active Directory attribute.

7. To map an Active Directory attribute to the primary group ID in user accounts, select “Map user GID to attribute,” then enter the name of the Active Directory attribute.

8. To map an Active Directory attribute to the UID, select “Map UID to attribute,” then enter the name of the Active Directory attribute.

9. Click OK.

See alsoIntegrate Active Directory using Directory Utility on Mac Helpful? Yes No Character limit: 250 Please don’t include any personal information in your comment. Maximum character limit is 250. Submit Thanks for your feedback.