OS X's built-in Active Directory client allows you to join an Active Directory domain, and it supports secure access to resources and single sign-on via Kerberos. Moreover, it doesn't require downgrading security levels, and it allows account synchronization for off-network access.
The client can be accessed using the Users and Groups pane of OS X Lion's System Preferences app (called the Accounts pane in older OS X releases). Detailed configuration, including account and home directory sync, preferred domain controllers, and so forth, can be performed using the included Directory Utility.
It's worth noting, however, that Apple's AD client has limitations. For example, it doesn't support client management of any kind beyond basic password policies. It also doesn't support DFS browsing. There are some issues specific to various releases, including Lion.
Essential Mac tools Nos. 16, 17, and 18: OS X Server, Apple's Open Directory, and Profile Manager
OS X may support Active Directory, but Apple's native directory is an LDAP-based solution called Open Directory.
Open Directory domains, hosted by OS X Server, afford centralized accounts all the advantages that Active Directory delivers for Windows, including secure Kerberos single sign-on and client management. This system, referred to as Managed Preferences (or abbreviated MCX), is entirely LDAP-based and allows for user/group/computer-based client management that rivals the capabilities of Group Policies in Active Directory for Mac clients.
In a dual-directory setup, Mac clients can be joined to both Open Directory and Active Directory, allowing for secure access to AD accounts and resources but with complete Open Directory client management applied.
In Lion Server, Apple introduced a new Profile Manager feature that supports iOS device management and Mac client management without the need for a directory service. This alternative offers the core security client management features with a simplified setup, though it is device/client-specific rather than more granular at the user or group level.
Essential Mac tools Nos. 19 and 20: Microsoft Active Directory Schema Analyzer and Apple Workgroup Manager
If adding a second directory isn't an option (it can often be a challenge), the fact that Apple's MCX architecture is completely LDAP-based offers an alternative: extend the Active Directory schema to support the Apple-specific attributes.
Microsoft's Active Directory Schema Analyzer is a great tool for generating the needed LDIF files. Once the schema is extended, Apple's free Workgroup Manager tool (part of OS X Server's administration utilities) can be installed on a Mac and pointed to an Active Directory domain, where it can manage some basic user account details and configure the full range of Apple's Managed Preferences.
Essential Mac tools No. 21: Third-party Active Directory Suites (free and commercial)
Apple's solutions are good for Active Directory integration, but they aren't perfect. In some cases, Apple's AD client may have issues with a specific Active Directory environment, while in others, some features just don't have full parity or may not even be available (DFS is a great example). For these situations, there are worthwhile third-party options, some of which are available for free.
