Apple - How to manage GPO on Macintosh client on Microsoft Domain

If you want to manage some centrally settings on Macintosh client on Microsoft domain there are two main options to follow.

1. Install Client plugin/tool that give you the ability to be compatible with Microsoft GPO
2. Install OSX Server that will coexist with Microsoft Domain.

Here they are some articles parts that I found on internet.

Mac Tools

OSX Server

There would be other options (like AD schema extension and so on but you could go deeper on that reading full articles that I mentioned above)



DirectControl from Centrify is also an Active Directory plug-in replacement. Besides the obligatory support for Active Directory authentication, a major feature of interest is support for GPOs: Windows administrators can use standard Windows tools to define GPOs for Mac clients that can specify certain management settings for user and computers. The ability to use a single set of tools to manage users, groups, and manage computers, no matter the OS is an important one for some organizations. Centrify also offers DirectControl for Linux and UNIX, which offers the possibility of using Active Directory to authenticate and manage all your platforms. More information on the Mac product is available at

Likewise Enterprise

Likewise Enterprise is yet another replacement for Apple's Active Directory plug-in. A unique feature of this product is the ability to store MCX data in Active Directory without extending the schema. This is similar in concept to what Centrify's DirectControl does, but with two important differences:

Administrators can not only define Group Policy Objects using the Microsoft Management Console, but they can also use Apple's Workgroup Manager application to define Mac-specific management settings

Because actual MCX data can be stored in AD, a wider range of management settings are supported.

Likewise Enterprise is also available for Linux and UNIX, again making it possible to use a single directory service for all your platforms. Additionally, Likewise offers an Active Directory management console that runs on Mac OS X and Linux. Visit for more information on this product. ... >

OSX Server installation

<... Essential Mac tools Nos. 16, 17, and 18: OS X Server, Apple's Open Directory, and Profile Manager

OS X may support Active Directory, but Apple's native directory is an LDAP-based solution called Open Directory.

Open Directory domains, hosted by OS X Server, afford centralized accounts all the advantages that Active Directory delivers for Windows, including secure Kerberos single sign-on and client management. This system, referred to as Managed Preferences (or abbreviated MCX), is entirely LDAP-based and allows for user/group/computer-based client management that rivals the capabilities of Group Policies in Active Directory for Mac clients.

In a dual-directory setup, Mac clients can be joined to both Open Directory and Active Directory, allowing for secure access to AD accounts and resources but with complete Open Directory client management applied.

In Lion Server, Apple introduced a new Profile Manager feature that supports iOS device management and Mac client management without the need for a directory service. This alternative offers the core security client management features with a simplified setup, though it is device/client-specific rather than more granular at the user or group level. ...>