Active Directory

com.apple.DirectoryService.managed

The payload that configures an Active Directory (AD) domain.

macOS

macOS 10.8+exclusive

Configuration Keys (39)

Key	Type	Title	Description	Default	Range
`HostName`required	string	HostName	The Active Directory domain to join.	—	—
`UserName`	string	UserName	The user name of the account for the domain.	—	—
`Password`	string	Password	The password of the account for the domain.	—	—
`ClientID`	string	Client ID	The client's identifier.	—	—
`ADOrganizationalUnit`	string	ADOrganizationalUnit	The organizational unit to add the joining computer object to.	—	—
`ADCreateMobileAccountAtLoginFlag`	boolean	Enable ADCreateMobileAccountAtLogin Flag	If 'true', the system enables the 'ADCreateMobileAccountAtLogin' key.	false	—
`ADCreateMobileAccountAtLogin`	boolean	Create mobile account at login	If 'true', the system creates a mobile account at login. Depends on: ADCreateMobileAccountAtLoginFlag ∈ [true]	false	—
`ADWarnUserBeforeCreatingMAFlag`	boolean	Enable ADWarnUserBeforeCreatingMA Flag	If 'true', the system enables the 'ADWarnUserBeforeCreatingMA' key.	false	—
`ADWarnUserBeforeCreatingMA`	boolean	Require confirmation before creating mobile account	If 'true', the system enables the warning before creating the mobile account. Depends on: ADWarnUserBeforeCreatingMAFlag ∈ [true]	false	—
`ADForceHomeLocalFlag`	boolean	Enable ADForceHomeLocal Flag	If 'true', the system enables the 'ADForceHomeLocal' key.	false	—
`ADForceHomeLocal`	boolean	Force local home directory on startup disk	If 'true', the system forces a local home directory. Depends on: ADForceHomeLocalFlag ∈ [true]	false	—
`ADUseWindowsUNCPathFlag`	boolean	Enable ADUseWindowsUNCPath Flag	If 'true', the system enables the 'ADUseWindowsUNCPath' key.	false	—
`ADUseWindowsUNCPath`	boolean	Use UNC path for network home location	If 'true', the system uses the UNC path from Active Directory to derive the network home location. Depends on: ADUseWindowsUNCPathFlag ∈ [true]	false	—
`ADMountStyle`	string	Mount Style	The network home protocol to use: 'afp' or 'smb'.	"smb"
`ADDefaultUserShellFlag`	boolean	Enable ADDefaultUserShell Key	If 'true', the system enables the 'ADDefaultUserShell' key.	false	—
`ADDefaultUserShell`	string	Default user shell	The default user shell. Depends on: ADDefaultUserShellFlag ∈ [true]	"/bin/bash"	—
`ADMapUIDAttributeFlag`	boolean	Enable ADMapUIDAttribute Key	If 'true', the system enables the 'ADMapUIDAttribute' key.	false	—
`ADMapUIDAttribute`	string	Map UID to attribute	The map UID to attribute. Depends on: ADMapUIDAttributeFlag ∈ [true]	—	—
`ADMapGIDAttributeFlag`	boolean	Enable ADMapGIDAttribute Key	If 'true', the system enables the 'ADMapGIDAttribute' key.	false	—
`ADMapGIDAttribute`	string	Map user GID to attribute	The map GID to attribute. Depends on: ADMapGIDAttributeFlag ∈ [true]	—	—
`ADMapGGIDAttributeFlag`	boolean	Enable ADMapGGIDAttribute Key	If 'true', the system enables the 'ADMapGGIDAttributeFlag' key.	false	—
`ADMapGGIDAttribute`	string	Map group GID to attribute	The map group GID to attribute. Depends on: ADMapGGIDAttributeFlag ∈ [true]	—	—
`ADPreferredDCServerFlag`	boolean	Enable ADPreferredDCServer Key	If 'true', the system enables the 'ADPreferredDCServer' key.	false	—
`ADPreferredDCServer`	string	Preferred domain server	The preferred domain server. Depends on: ADPreferredDCServerFlag ∈ [true]	—	—
`ADDomainAdminGroupListFlag`	boolean	Enable ADDomainAdminGroupList Key	If 'true', the system enables the 'ADDomainAdminGroupList' key.	false	—
`ADDomainAdminGroupList`	array	Allow administration by specified Active Directory groups.	The list of Active Directory groups with admin access. Depends on: ADDomainAdminGroupListFlag ∈ [true]	—	—
`ADDomainAdminGroupListItem`required	string	Domain Admin Group Item	An active directory group	—	—
`ADAllowMultiDomainAuthFlag`	boolean	Enable ADAllowMultiDomainAuth Key	If 'true', the system enables the 'ADAllowMultiDomainAuth' key.	false	—
`ADAllowMultiDomainAuth`	boolean	Allow authentication from any domain in the forest	If 'true', the system allows authentication from any domain in the namespace. Depends on: ADAllowMultiDomainAuthFlag ∈ [true]	false	—
`ADNamespaceFlag`	boolean	Enable ADNamespace Key	If 'true', the system enables the 'ADNamespace' key.	false	—
`ADNamespace`	string	Set primary user account naming convention: "forest" or "domain"	The primary user account naming convention; either 'forest' or 'domain'. Depends on: ADNamespaceFlag ∈ [true]	"domain"
`ADPacketSignFlag`	boolean	Enable ADPacketSign Key	If 'true', the system enables the 'ADPacketSign' key.	false	—
`ADPacketSign`	string	Packet signing	The packet signing policy. Depends on: ADPacketSignFlag ∈ [true]	"allow"
`ADPacketEncryptFlag`	boolean	Enable ADPacketEncrypt Key	If 'true', the system enables the 'ADPacketEncrypt' key.	false	—
`ADPacketEncrypt`	string	Packet encryption	The packet encryption policy. Depends on: ADPacketEncryptFlag ∈ [true]	"allow"
`ADRestrictDDNSFlag`	boolean	Enable ADRestrictDDNS Key	If 'true', the system enables the 'ADRestrictDDNS' key.	false	—
`ADRestrictDDNS`	array	Restrict DDNS on interfaces	An array of strings that represent the interfaces allowed for dynamic DNS updates, such as en0 and en1. Depends on: ADRestrictDDNSFlag ∈ [true]	—	—
`ADRestrictDDNSItem`required	string	Allowed DDNS Interface Item	An interface name which is allowed to make DDNS updates	—	—
`ADTrustChangePassIntervalDaysFlag`	boolean	Enable ADTrustChangePassIntervalDays Key	If 'true', the system enables the 'ADTrustChangePassIntervalDays' key.	false	—
`ADTrustChangePassIntervalDays`	integer	Password trust interval	The number of days before requiring a change of the computer trust account password. Set to '0' to disable the feature. Depends on: ADTrustChangePassIntervalDaysFlag ∈ [true]	14	—
`Description`	string	Description	The directory service description.	—	—
`ADDomainAdminGroupListItem`required	string	Domain Admin Group Item	An active directory group	—	—
`ADRestrictDDNSItem`required	string	Allowed DDNS Interface Item	An interface name which is allowed to make DDNS updates	—	—