Assign an Active Directory user who is authorized to manage an encrypted disk

Before enabling FileVault 2, you must assign a user account that is able to open the disk for the Mac computer after it is encrypted by FileVault 2. This setting specifies the “Managed By” user for a computer.

Note:   Enabling the “FileVault2” group policy, as explained in the next section, encrypts the entire disk for the computer. The user account that you assign in the current procedure will be authorized to access the disk during boot up so that this account will be able to log on. You can later add other accounts, but for now, this is the only account that will be able to log on to this computer.

The “Managed By” user account must be an Active Directory mobile user account. See Configuring a portable home directory for information about the steps you must take to create a mobile user account.

Note:   After you enable a user account to open an encrypted disk at start up, you cannot remove that account from the list. If you no longer want this user account to be able to unlock the disk, you can delete the account from Active Directory. Before doing so, be certain that you have at least one other account that can unlock the hard disk on this computer, otherwise you will no longer be able to access this computer.

To assign an account that can unlock the encrypted disk

  1. On a domain controller, open Active Directory Users and Computers
  2. Expand the domain object and navigate to the container that contains the Mac computer, for example, Computers.
  3. Select the Mac computer that you plan to encrypt, right-click and select Properties.
  4. Click the Managed By tab.

  5. Click Change.

  6. Enter the all or part of the name to search for (make certain that User is selected in Object Type) and click Check Names.

  7. If the name is correct, click OK then OK again to save your changes.