Applies to: Centrify Identity Service, Mac Edition
How can an AD user be configured to login to a Centrify-joined Mac system with a network home folder in Auto Zone mode?
- Starting with macOS Sierra, you won't be able to create portable home directories. Mobile home directories, which have networks accounts that are cached locally, can still be created. However, their home folder will no longer sync with their network home directory.
- See page 18 of the Centrify Admin Guide for Mac OS X for further information on network home directories for Mac OS X.
- If the Mac is joined to the domain in Zone Mode, please see the following KB instead:
- The following example is for setting up a network home folder from a Windows file share, if using another type of file server, please use the equivalent sharing and security permissions for the device
- On a network file server, create a folder where all the network home directories will be created.
- Right-click on this folder and configure the following settings:
Sharing tab > Permissions button > Remove "Everyone" > Add "Authenticated Users" > Select "Full Control"
Security tab > Add "Authenticated Users" > Select "Full Control"
(This is required for initial setup of the network home folders, limiting users to only be able to access their own home folders can be configured afterwards.)
- In ADUC, go to the AD user object and right-click and select their AD Properties:
Profile tab > Home folder section > choose Connect > Enter the folder path in the format:
\\ [fully qualified server hostname] \ [share path] \%username%
(The username will be filled automatically in place of the %username% token)
- Once the user's AD properties are updated, the home folder will be automatically created on the network file server.
- Go to Group Policy Management and in either an existing GPO, or a new GPO that will apply to the Mac systems, enable the GP at:
Computer Configuration / Centrify Settings / DirectControl Settings / Adclient Settings / "Enable Auto Zone user home directory (Mac OS X)"
If the network home folders will be coming from an AFP share, make sure to also configure the GP at:
Computer Configuration / Centrify Settings / DirectControl Settings / Adclient Settings / "Auto Zone remote file service (Mac OS X)"
- Save and apply the GPOs.
- Go to the Mac and login as Local Admin
- Open the Terminal and run:
- Verify that the AD users have now been configured with network home directories by running the command:
adquery user -h ad_username
- The network home path will be shown in UNIX format:
To restrict access of the network home folders so that users can only get into their own network homes, please see the following KB:
For additional information not covered in this guide or troubleshooting assistance, please review the Centrify Online Help
or Customer Support Portal