dsconfigad
Directory Services configuration

dsconfigad -help
dsconfigad -add domain -username value [-computer value] [-force] [-password value] [-ou dn] [-preferred server]
[-localuser value] [-localpassword value]
dsconfigad -leave [-localuser value] [-localpassword value]
dsconfigad -remove -username value [-force] [-password value] [-localuser value] [-localpassword value]
dsconfigad -show [-xml]
dsconfigad [advoptions] [-localuser value] [-localpassword value]
-show current configuration for Active Directory
-add value computer to the domain
-computer value name of computer to add to domain
-localuser value username of a privileged local user
-localpassword value password of a privileged local user
-username value username of a privileged network user
-password value password of a privileged network user
-ou dn fully qualified LDAP DN of container for the computer (defaults to CN=Computers)
-leave leave the domain (preserving the computer account)
-remove remove computer from domain
-force force the process (i.e., join the existing account)
-xml output configuration in plist format
Advanced Options - User Experience:
-localhome flag enable|disable force home directory to local drive
-sharepoint enable|disable mount network home as a sharepoint.
-shell value none for no shell|specify a default shell /bin/bash
-mobile flag enable|disable mobile user accounts for offline use
-mobileconfirm flag enable|disable warning for mobile account creation
-protocol type afp|smb change protocol used when mounting home
-useuncpath flag enable|disable use Windows UNC for network home
Advanced Options - Mappings:
-uid attribute name of attribute to be used for UNIX uid field
-nouid generate the UID from the Active Directory GUID
-gid attribute name of attribute to be used for UNIX gid field
-nogid generate the GID from the Active Directory information
-ggid attribute name of attribute to be used for UNIX group gid field
-noggid generate the group GID from the Active Directory GUID
-authority enable|disable generation of Kerberos authority
Advanced Options - Administrative:
-preferred server fully-qualified domain name
-nopreferred do not use a preferred server
-groups "1,2,..." list of groups that are granted Admin privileges on local workstation
-nogroups disable the use of groups for granting Admin privileges
-alldomains flag enable|disable allow authentication from any domain
-packetsign flag disable, allow,|require packet signing
-packetencrypt flag disable, allow, require|ssl packet encryption
-namespace flag forest|domain, where forest qualifies all usernames
-passinterval days how often to change computer trust account password
-restrictDDNS list list of interfaces to restrict DDNS to (en0, en1, etc.)

see dseditgroup
sudo dseditgroup -o edit -n /Local/Default -a everyone -t group lpadmin