It’s easy to only see the security implications and administrative issues in this scenario, but take a step back and you’ll also understand the frustration Macintosh users have on a network designed without their experience in mind.

Binding workstations to Active Directory allows your existing Windows accounts to be used on Mac OS X. It eases maintenance by enabling the use of network administrative accounts, and improves security by allowing you to enforce password policy. Just as importantly, it empowers the people who use your Macintosh systems, by eliminating multiple passwords and allowing interaction directly with the Windows infrastructure.

To begin, check the “Network” pane in System Preferences, and be sure that your Windows domain is listed in the “Search Domains” for each interface. Then open the Directory Utility application in the Utilities folder, click the “Show Advanced Settings” button, and select “Services” from the toolbar that appears above.

Check “Active Directory” from the available list of services, then hit the pencil symbol at the bottom to edit the binding criteria. Leave the directory forest set to “Automatic” and enter the name of your Active Directory domain and the computer name you wish to bind your machine as. Resist the shiny, pulsing “Bind…” button and instead click the “Show Advanced Options” arrow at the very left hand side. The window will expand, revealing the full range of configuration choices.

Beginning with the “User Experience” pane, check “Create mobile account at login”. Without this selected, Mac OS X won’t cache account credentials, leaving users locked out of their machine when the Active Directory server can’t be reached. This would prevent access not only during network failures, but also for any laptop user unable to connect with VPN (like those commuting by train, on airplanes, or in log cabins).

Next you’ll see “Force local home directory” selected automatically. This will store user account data on the individual workstation rather than utilizing the home folder in the user’s Active Directory profile. While it is possible to use a Windows server to store Macintosh home directories, the process can be inconsistent and poorly supported (and can lead to significant confusion if the same account is used for both OS X and Windows). To this end, you’ll want to uncheck “Use UNC path from Active Directory to derive network home location” as well.

Now select the “Administrative” pane, and begin by unchecking “Allow authentication from any domain in the forest” at the bottom of the window. This will force OS X to locate user accounts only within the domain you’ve specified. You can then check “Allow administration by”, allowing (at a minimum) domain and enterprise administrators to also administer the local machine. You can also add groups from your Active Directory set up, or even specific user accounts (as in the example above) who may not normally have administrative rights on Windows systems.

Having configured your options, click “Bind…”, and enter the name and password of a domain administrator when prompted. If there’s a pre-existing local account on the bound machine, you’ll want to log in with the user’s Windows name and password first to dynamically create a new home directory. Then, switch to an administrative account to migrate over the user data from their old home directory in /Users, making sure to match the permissions to the new Active Directory-based account.

When it’s all finished, you’ll now have the kind of account controls you’re so used to on your Windows systems. Happily, your Macintosh users will, too.

Recommended Reading: Active Directory binding is important enough in corporate settings that we’ve written about it twice, once early on for Tiger and again in this updated Leopard version. It’s also important enough that Apple has whole whitepaper dedicated to it: Integrating Mac OS X with Active Directory.

The answer is VNC (Virtual Network Computing), an open source desktop sharing system built directly into Mac OS X (and at the center of Apple’s new “Back To My Mac” and screen sharing features in Leopard). Once configured as a VNC server, any Macintosh system can be accessed from a Windows VNC client, allowing you to view and control the current user session.

Open System Preferences on your Macintosh and choose “Sharing” from the third row. In the Sharing pane, check “Remote Management” from the “Service” column, then click the “Computer Settings…” button (called “Apple Remote Desktop” and “Access Privileges” respectively in Tiger). When the settings dialog appears, check “VNC viewers may control screen with password”, and choose a strong password to enable remote access. If the Mac you’re trying to reach isn’t on the same network as your client machine, you’ll need to configure your router or firewall to forward port 5900 to it as well.

That’s it. Now when you need to remotely control that Mac, you can point the VNC client of your choice at the machine’s IP and log in with the password you just assigned. There’s no further authentication process built in (and no data encryption being used), so you’ll want at the very least log out of that machine when it’s not in use to minimize security risks. You’ll also need to set your VNC client to utilize full color (the highest possible color depth) to get around a bug in Apple’s VNC Server.

This kind of screen sharing isn’t an ideal long term management solution, but it allows the kind of emergency troubleshooting that can often save the day. The next day, you can look into buying a MacBook Pro.

Recommended Reading: If you aren’t currently using VNC on Windows, you can check out RealVNC, UltraVNC, and TightVNC, all popular and free VNC clients. For those who can’t decide, Wikipedia offers a fantastic feature comparison of remote desktop software which includes these options, Apple Remote Desktop, and others.