Add or Remove Mac from Active Directory

From AFP548 Wiki
Jump to: navigation, search

There are two ways to add a Mac to Active Directory. The results are the same. Before proceeding make sure the Mac is connected to your network either via Ethernet or wireless. Macs can establish wireless connections at the login screen which is helpful for devices such as the MacBook Air that do not have Ethernet ports.

Open Directory Utility[edit]

  1. Click on Apple in top left corner and click on System Preferences.
  2. Click on Users & Groups.
    1. Make sure the lock in the bottom left corner of the window is in an unlocked position.
  3. Click on Login Options.
  4. Where it says Network Account Server, click on the button Join...
  5. Click on Open Directory Utility...
  6. Double click on Active Directory. Note, you may click on the lock in the bottom left corner to unlock and make edits.

Or alternatively...

  1. Open Finder.
  2. Click on Go menu and then Go to folder...
  3. Type /System
  4. Open Library folder
  5. Open Core Services folder
  6. Open Directory Utility.app
  7. Double click on Active Directory. Note, you may click on the lock in the bottom left corner to unlock and make edits.

Add Mac to Active Directory using Directory Utility[edit]

  1. Make sure the lock in the bottom left corner of the window is in an unlocked position.
  2. You will see three tabs: Services Search Policy Directory Editor. By default you will be under the Services tab. If not, please click Services.
  3. Double click on Active Directory.
  4. Enter the following information:
    1. Leave Active Directory Forest alone.
    2. Active Directory Domain: enter your domain name (i.e. company.com for purposes of this guide)
    3. Computer ID: enter computer name
  5. Click on arrow next to Show Advanced Options.
  6. If you want to make an AD group administrators on the computer, click the Administrative tab.
    1. Make sure Allow administration by: is checked.
    2. Click on the plus sign and type enter AD group name to allow AD group to be administrators on the machine.
  7. Click on the Bind... button.
  8. Enter your AD username in the Username: text field
  9. Enter your AD password in the Password: text field
  10. The next step requires you to fill out Computer OU: which can be handled one of two ways
    1. First method: in reverse name format, type out the Organizational Unit (OU) the machine is going to be added to. For example: OU=MacOSX,OU=Computers,DC=company,DC=com. You will most likely need to remote into a PC machine and look at the Active Directory hierarchy for the domain to see the structure of OUs using Active Directory Users and Computers if you cannot remember the hierarchy. Please notice the use of commas and OU= which is important otherwise this may fail.
      OU stands for Organizational Unit and DC stands for Domain Controller. CN stands for Class Name.
    2. Second method: leave Computer OU: as is which should be CN=Computers,DC=company,DC=com. Instead remote into a PC with Active Directory Users and Computers. Go to the proper OU where the Mac will go and right-click the OU and select New -> Computer. Enter the Computer Name which needs to match the Computer ID filled out earlier. On the Mac, in Directory Utility you should now be able to click Bind.
      OU stands for Organizational Unit. DC stands for Domain Controller. CN stands for Class Name.

      If you will used the second method of adding a Mac to Active Directory, you will see the following message:
      Join existing account?
      The account information you entered specifies an account that already exists. Do you wish to join this computer to the existing computer account? This operation cannot be undone.
      Please click OK. This is the Mac telling you that you will be overwriting a computer account in Active Directory which is fine and should not cause any problems.
  11. Click the User Experience tab. This should be the default tab you see anyways.
  12. Check Create mobile account at login. This will ensure that a user's credentials are cached on the computer when they are off the network.
  13. Check Require confirmation before creating a mobile account. Otherwise you may see a prompt when you login with your AD credentials for the first time to create a mobile account folder which should be answered with Yes. And if given the option select Do not ask me again.
  14. If you are not using network homes, then uncheck Use UNC path from Active Directory to derive network home location
  15. Select OK.

Remove Mac from Active Directory using Directory Utility[edit]

It is possible to remove a machine from Active Directory from within Mac OS X. This assumes the machine is on AD domain.

  1. First, you will need to open Directory Utility.
  2. Make sure the lock in the bottom left corner of the window is in an unlocked position.
  3. You will see three tabs: Services Search Policy Directory Editor. By default you will be under the Services tab. If not, please click Services.
  4. Double click on Active Directory.
  5. Click on the Unbind... button.
  6. Enter your AD username in the Username: text field
  7. Enter your AD password in the Password: text field
  8. Select OK.

Scripts for Automation[edit]

There are two scripts available below which should work as well for most Active Directory environments. If not, modify as needed.

Vaughn Miller's script[edit]

The script can be found here: https://github.com/vmiller/vmiller_scripts/blob/master/Interactive_AD_Bind/joinad.sh

	################################################################
	# Interactive script to join Macs to Active Directory
	# 
	# Written by Vaughn Miller
	# Version 1.1  December 7, 2011
	#
	# In this sample the the FQDN is ad.comapny.com and the NetBios
	# name is COMAPNY  You should change these values and the OU values
	# to match your environment
	################################################################

	#!/bin/bash

	RunAsRoot()
	{
			##  Pass in the full path to the executable as $1
			if [[ "${USER}" != "root" ]] ; then
					echo
					echo "***  This application must be run as root.  Please authenticate below.  ***"
					echo
					sudo "${1}" && exit 0
			fi
	}

	RunAsRoot "${0}"

	# If machine is already bound, exit the script
	check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
	if [ "${check4AD}" = "Active Directory" ]; then
		echo "Computer is already bound to Active Directory.. \n Exiting script... "; exit 1
	fi


	read -p "Enter computer name : " compName

	echo "Select OU for computer : "
	select ou in "OU=Laptops,OU=Office Computers,DC=ad,DC=company,DC=com" "OU=Office Computers,DC=ad,DC=company,DC=com"; do
			break
	done

	# Bind the machine to AD
	read -p "Enter account name  : " acctName
	dsconfigad -add ad.company.com -computer $compName -username $acctName -ou "$ou"

	# If the machine is not bound to AD, then there's no purpose going any further. 
	check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
	if [ "${check4AD}" != "Active Directory" ]; then
		echo "Bind to Active Directory failed! \n Exiting script... "; exit 1
	fi

	# set host names to match 
	scutil --set HostName $compName
	scutil --set ComputerName $compName
	scutil --set LocalHostName $compName

	# Configure login options
	dsconfigad -mobile enable
	dsconfigad -mobileconfirm disable
	dsconfigad -useuncpath disable

	# If running Lion, configure the search paths.
	# The Search Paths show up different depending on what update is installed
	majorSysver=`sw_vers -productVersion | cut -c 1-4`
	minorSysver=`sw_vers -productVersion | cut -c 6`
	if [ $majorSysver = 10.7 ]; then
	   if [ $minorSysver -gt 1 ]; then
		  dscl /Search -delete / CSPSearchPath "/Active Directory/COMPANY/All Domains"
		  dscl /Search -append / CSPSearchPath "/Active Directory/COMPANY"
		  dscl /Search -append / CSPSearchPath "/Active Directory/COMPANY/All Domains"
	   else
		  dscl /Search -delete / CSPSearchPath "/Active Directory/AD/All Domains"
		  dscl /Search -append / CSPSearchPath "/Active Directory/AD"
		  dscl /Search -append / CSPSearchPath "/Active Directory/AD/All Domains"
	   fi
	fi

	# Set login options to be more user friendly
	defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
	chmod o+w /Library/Preferences
	defaults write "/Library/Preferences/com.apple.NetworkAuthorization" UseDefaultName -bool NO
	defaults write "/Library/Preferences/com.apple.NetworkAuthorization" UseShortName -bool YES
	chmod o-w /Library/Preferences

	###########################################################################
	# Add Mobile Accounts
	###########################################################################

	echo "Do you wish to setup mobile accounts now?"
	select i in "Yes" "No"; do
		break
	done

	while [ $i = "Yes" ]; do
		read -p "Enter user name : " userName
		/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $userName

		# Check to see if the account was created and then prompt to see
		# if user should be made an administrator

		if [ -d "/Users/$userName" ]; then
			echo "Make user administrator ? "
			select yn in "Yes" "No"; do
				 break
			done
			if [ $yn == "Yes" ]; then
				dscl . -append /Groups/admin GroupMembership $userName
			fi
		fi
		echo "Another user?"
		select i in "Yes" "No"; do
			break
		done
	done

Nick Cobb's script[edit]

The script can be found here: https://github.com/loyaltyarm/vmiller_scripts/blob/master/ML_Interactive_AD_Join/joinAD.sh

	####################################################
	# Bind to Active Directory script
	#
	# written by Nick Cobb, 2012.
	# 
	#
	# Based on script by Vaughn Miller
	# https://github.com/vmiller/vmiller_scripts/tree/master/Interactive_AD_Bind
	#
	# Reference man dsconfigad for additional parameters
	####################################################

	#!/bin/bash

	RunAsRoot()
	{
			## Pass in the full path to the executable as $1
			if [[ "${USER}" != "root" ]] ; then
	echo
	echo "*** This application must be run as root. Please authenticate below. ***"
					echo
	sudo "${1}" && exit 0
			fi
	}

	RunAsRoot "${0}"

	# If machine is already bound, exit the script
	check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
	if [ "${check4AD}" = "Active Directory" ]; then
	echo "Computer is already bound to Active Directory.. \n Exiting script... "; exit 1
	fi

	# Set machine to use AD domain for network time
	echo Setting Network Time...
	systemsetup -setusingnetworktime on
	read -p "Enter network time server address : " timeServ
	systemsetup -setnetworktimeserver $timeServ

	# Get user input for machine name
	read -p "Enter computer name : " compName

	# Bind the machine to AD
	read -p "Enter AD domain : " domainAddy
	read -p "Enter OU location (ie., OU=Apple,dc=your,dc=domain,dc=here,dc=com) : " ou
	read -p "Enter AD admin account name : " acctName
	echo
	echo Binding...this process may take a minute or two...
	echo Please enter your password below...
	sleep 1
	dsconfigad -force -add $domainAddy -computer $compName -username $acctName -ou $ou

	# If the machine is not bound to AD, then there's no purpose going any further.
	check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
	if [ "${check4AD}" != "Active Directory" ]; then
	echo "Bind to Active Directory failed! \n Exiting script... "; exit 1
	fi

	# set host names to match
	echo Setting Computer Name...
	sleep 2
	scutil --set HostName $compName
	scutil --set ComputerName $compName
	scutil --set LocalHostName $compName
	sleep 1

	# Configure login options
	# These settings correspond to the User Experience tab in Directory Utility
	echo Configuring Login Settings...
	sleep 1
	dsconfigad -mobile enable
	dsconfigad -mobileconfirm disable
	dsconfigad -localhome enable
	dsconfigad -useuncpath enable
	dsconfigad -protocol smb
	sleep 1

	# Configure administrator options
	# These settings correspond to the Administrative tab in Directory Utility
	read -r -p "Enter administrative domain groups (separate with commas, ie., DOMAIN\Domain Admins,DOMAIN\Support Group Admin) : " groupName
	echo Configuring Administrative Settings...
	sleep 1
	dsconfigad -groups "$groupName"
	dsconfigad -alldomains enable
	sleep 1

	# Configure security options
	echo Configuring Security Settings...
	sleep 1
	dsconfigad -packetencrypt ssl
	sleep 1
	 
	# Set AD Search Policy
	echo Configuring Search Policy...
	dscl /Search -create / SearchPolicy CSPSearchPath
	dscl /Search -append / CSPSearchPath "/Active Directory/yourdomain/All Domains"
	dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
	dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/yourdomain/All Domains"

	###########################################################################
	# Add Mobile Accounts
	###########################################################################

	echo "Do you wish to setup AD user accounts now?"
	select i in "Yes" "No"; do
	break
	done

	while [ $i = "Yes" ]; do
	read -p "Enter AD user account : " userName
	/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $userName

	# Check to see if the account was created and then prompt to see
	# if user should be made an administrator

	if [ -d "/Users/$userName" ]; then
	echo "Make user administrator ? "
	select yn in "Yes" "No"; do
	break
	done
	if [ $yn == "Yes" ]; then
	dscl . -append /Groups/admin GroupMembership $userName
	fi
	fi
	echo "Another user?"
	select i in "Yes" "No"; do
	break
	done
	done