Difference between revisions of "Add or Remove Mac from Active Directory"
Line 55: | Line 55: | ||
#Enter your AD password in the '''Password:''' text field | #Enter your AD password in the '''Password:''' text field | ||
#Select OK. | #Select OK. | ||
+ | |||
+ | == Scripts for Automation == | ||
+ | There are two scripts available below which should work as well for most Active Directory environments. If not, modify as needed. | ||
+ | |||
+ | ===Vaughn Miller's script=== | ||
+ | The script can be found here: https://github.com/vmiller/vmiller_scripts/blob/master/Interactive_AD_Bind/joinad.sh | ||
+ | |||
+ | ################################################################ | ||
+ | # Interactive script to join Macs to Active Directory | ||
+ | # | ||
+ | # Written by Vaughn Miller | ||
+ | # Version 1.1 December 7, 2011 | ||
+ | # | ||
+ | # In this sample the the FQDN is ad.comapny.com and the NetBios | ||
+ | # name is COMAPNY You should change these values and the OU values | ||
+ | # to match your environment | ||
+ | ################################################################ | ||
+ | |||
+ | #!/bin/bash | ||
+ | |||
+ | RunAsRoot() | ||
+ | { | ||
+ | ## Pass in the full path to the executable as $1 | ||
+ | if [[ "${USER}" != "root" ]] ; then | ||
+ | echo | ||
+ | echo "*** This application must be run as root. Please authenticate below. ***" | ||
+ | echo | ||
+ | sudo "${1}" && exit 0 | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | RunAsRoot "${0}" | ||
+ | |||
+ | # If machine is already bound, exit the script | ||
+ | check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` | ||
+ | if [ "${check4AD}" = "Active Directory" ]; then | ||
+ | echo "Computer is already bound to Active Directory.. \n Exiting script... "; exit 1 | ||
+ | fi | ||
+ | |||
+ | |||
+ | read -p "Enter computer name : " compName | ||
+ | |||
+ | echo "Select OU for computer : " | ||
+ | select ou in "OU=Laptops,OU=Office Computers,DC=ad,DC=company,DC=com" "OU=Office Computers,DC=ad,DC=company,DC=com"; do | ||
+ | break | ||
+ | done | ||
+ | |||
+ | # Bind the machine to AD | ||
+ | read -p "Enter account name : " acctName | ||
+ | dsconfigad -add ad.company.com -computer $compName -username $acctName -ou "$ou" | ||
+ | |||
+ | # If the machine is not bound to AD, then there's no purpose going any further. | ||
+ | check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` | ||
+ | if [ "${check4AD}" != "Active Directory" ]; then | ||
+ | echo "Bind to Active Directory failed! \n Exiting script... "; exit 1 | ||
+ | fi | ||
+ | |||
+ | # set host names to match | ||
+ | scutil --set HostName $compName | ||
+ | scutil --set ComputerName $compName | ||
+ | scutil --set LocalHostName $compName | ||
+ | |||
+ | # Configure login options | ||
+ | dsconfigad -mobile enable | ||
+ | dsconfigad -mobileconfirm disable | ||
+ | dsconfigad -useuncpath disable | ||
+ | |||
+ | # If running Lion, configure the search paths. | ||
+ | # The Search Paths show up different depending on what update is installed | ||
+ | majorSysver=`sw_vers -productVersion | cut -c 1-4` | ||
+ | minorSysver=`sw_vers -productVersion | cut -c 6` | ||
+ | if [ $majorSysver = 10.7 ]; then | ||
+ | if [ $minorSysver -gt 1 ]; then | ||
+ | dscl /Search -delete / CSPSearchPath "/Active Directory/COMPANY/All Domains" | ||
+ | dscl /Search -append / CSPSearchPath "/Active Directory/COMPANY" | ||
+ | dscl /Search -append / CSPSearchPath "/Active Directory/COMPANY/All Domains" | ||
+ | else | ||
+ | dscl /Search -delete / CSPSearchPath "/Active Directory/AD/All Domains" | ||
+ | dscl /Search -append / CSPSearchPath "/Active Directory/AD" | ||
+ | dscl /Search -append / CSPSearchPath "/Active Directory/AD/All Domains" | ||
+ | fi | ||
+ | fi | ||
+ | |||
+ | # Set login options to be more user friendly | ||
+ | defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE | ||
+ | chmod o+w /Library/Preferences | ||
+ | defaults write "/Library/Preferences/com.apple.NetworkAuthorization" UseDefaultName -bool NO | ||
+ | defaults write "/Library/Preferences/com.apple.NetworkAuthorization" UseShortName -bool YES | ||
+ | chmod o-w /Library/Preferences | ||
+ | |||
+ | ########################################################################### | ||
+ | # Add Mobile Accounts | ||
+ | ########################################################################### | ||
+ | |||
+ | echo "Do you wish to setup mobile accounts now?" | ||
+ | select i in "Yes" "No"; do | ||
+ | break | ||
+ | done | ||
+ | |||
+ | while [ $i = "Yes" ]; do | ||
+ | read -p "Enter user name : " userName | ||
+ | /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $userName | ||
+ | |||
+ | # Check to see if the account was created and then prompt to see | ||
+ | # if user should be made an administrator | ||
+ | |||
+ | if [ -d "/Users/$userName" ]; then | ||
+ | echo "Make user administrator ? " | ||
+ | select yn in "Yes" "No"; do | ||
+ | break | ||
+ | done | ||
+ | if [ $yn == "Yes" ]; then | ||
+ | dscl . -append /Groups/admin GroupMembership $userName | ||
+ | fi | ||
+ | fi | ||
+ | echo "Another user?" | ||
+ | select i in "Yes" "No"; do | ||
+ | break | ||
+ | done | ||
+ | done | ||
+ | |||
+ | ===Nick Cobb's script=== | ||
+ | The script can be found here: https://github.com/loyaltyarm/vmiller_scripts/blob/master/ML_Interactive_AD_Join/joinAD.sh | ||
+ | |||
+ | #################################################### | ||
+ | # Bind to Active Directory script | ||
+ | # | ||
+ | # written by Nick Cobb, 2012. | ||
+ | # | ||
+ | # | ||
+ | # Based on script by Vaughn Miller | ||
+ | # https://github.com/vmiller/vmiller_scripts/tree/master/Interactive_AD_Bind | ||
+ | # | ||
+ | # Reference man dsconfigad for additional parameters | ||
+ | #################################################### | ||
+ | |||
+ | #!/bin/bash | ||
+ | |||
+ | RunAsRoot() | ||
+ | { | ||
+ | ## Pass in the full path to the executable as $1 | ||
+ | if [[ "${USER}" != "root" ]] ; then | ||
+ | echo | ||
+ | echo "*** This application must be run as root. Please authenticate below. ***" | ||
+ | echo | ||
+ | sudo "${1}" && exit 0 | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | RunAsRoot "${0}" | ||
+ | |||
+ | # If machine is already bound, exit the script | ||
+ | check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` | ||
+ | if [ "${check4AD}" = "Active Directory" ]; then | ||
+ | echo "Computer is already bound to Active Directory.. \n Exiting script... "; exit 1 | ||
+ | fi | ||
+ | |||
+ | # Set machine to use AD domain for network time | ||
+ | echo Setting Network Time... | ||
+ | systemsetup -setusingnetworktime on | ||
+ | read -p "Enter network time server address : " timeServ | ||
+ | systemsetup -setnetworktimeserver $timeServ | ||
+ | |||
+ | # Get user input for machine name | ||
+ | read -p "Enter computer name : " compName | ||
+ | |||
+ | # Bind the machine to AD | ||
+ | read -p "Enter AD domain : " domainAddy | ||
+ | read -p "Enter OU location (ie., OU=Apple,dc=your,dc=domain,dc=here,dc=com) : " ou | ||
+ | read -p "Enter AD admin account name : " acctName | ||
+ | echo | ||
+ | echo Binding...this process may take a minute or two... | ||
+ | echo Please enter your password below... | ||
+ | sleep 1 | ||
+ | dsconfigad -force -add $domainAddy -computer $compName -username $acctName -ou $ou | ||
+ | |||
+ | # If the machine is not bound to AD, then there's no purpose going any further. | ||
+ | check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` | ||
+ | if [ "${check4AD}" != "Active Directory" ]; then | ||
+ | echo "Bind to Active Directory failed! \n Exiting script... "; exit 1 | ||
+ | fi | ||
+ | |||
+ | # set host names to match | ||
+ | echo Setting Computer Name... | ||
+ | sleep 2 | ||
+ | scutil --set HostName $compName | ||
+ | scutil --set ComputerName $compName | ||
+ | scutil --set LocalHostName $compName | ||
+ | sleep 1 | ||
+ | |||
+ | # Configure login options | ||
+ | # These settings correspond to the User Experience tab in Directory Utility | ||
+ | echo Configuring Login Settings... | ||
+ | sleep 1 | ||
+ | dsconfigad -mobile enable | ||
+ | dsconfigad -mobileconfirm disable | ||
+ | dsconfigad -localhome enable | ||
+ | dsconfigad -useuncpath enable | ||
+ | dsconfigad -protocol smb | ||
+ | sleep 1 | ||
+ | |||
+ | # Configure administrator options | ||
+ | # These settings correspond to the Administrative tab in Directory Utility | ||
+ | read -r -p "Enter administrative domain groups (separate with commas, ie., DOMAIN\Domain Admins,DOMAIN\Support Group Admin) : " groupName | ||
+ | echo Configuring Administrative Settings... | ||
+ | sleep 1 | ||
+ | dsconfigad -groups "$groupName" | ||
+ | dsconfigad -alldomains enable | ||
+ | sleep 1 | ||
+ | |||
+ | # Configure security options | ||
+ | echo Configuring Security Settings... | ||
+ | sleep 1 | ||
+ | dsconfigad -packetencrypt ssl | ||
+ | sleep 1 | ||
+ | |||
+ | # Set AD Search Policy | ||
+ | echo Configuring Search Policy... | ||
+ | dscl /Search -create / SearchPolicy CSPSearchPath | ||
+ | dscl /Search -append / CSPSearchPath "/Active Directory/yourdomain/All Domains" | ||
+ | dscl /Search/Contacts -create / SearchPolicy CSPSearchPath | ||
+ | dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/yourdomain/All Domains" | ||
+ | |||
+ | ########################################################################### | ||
+ | # Add Mobile Accounts | ||
+ | ########################################################################### | ||
+ | |||
+ | echo "Do you wish to setup AD user accounts now?" | ||
+ | select i in "Yes" "No"; do | ||
+ | break | ||
+ | done | ||
+ | |||
+ | while [ $i = "Yes" ]; do | ||
+ | read -p "Enter AD user account : " userName | ||
+ | /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $userName | ||
+ | |||
+ | # Check to see if the account was created and then prompt to see | ||
+ | # if user should be made an administrator | ||
+ | |||
+ | if [ -d "/Users/$userName" ]; then | ||
+ | echo "Make user administrator ? " | ||
+ | select yn in "Yes" "No"; do | ||
+ | break | ||
+ | done | ||
+ | if [ $yn == "Yes" ]; then | ||
+ | dscl . -append /Groups/admin GroupMembership $userName | ||
+ | fi | ||
+ | fi | ||
+ | echo "Another user?" | ||
+ | select i in "Yes" "No"; do | ||
+ | break | ||
+ | done | ||
+ | done | ||
[[Category:Guides]] | [[Category:Guides]] |
Latest revision as of 19:49, 27 May 2013
There are two ways to add a Mac to Active Directory. The results are the same. Before proceeding make sure the Mac is connected to your network either via Ethernet or wireless. Macs can establish wireless connections at the login screen which is helpful for devices such as the MacBook Air that do not have Ethernet ports.
Contents
Open Directory Utility[edit]
- Click on Apple in top left corner and click on System Preferences.
- Click on Users & Groups.
- Make sure the lock in the bottom left corner of the window is in an unlocked position.
- Click on Login Options.
- Where it says Network Account Server, click on the button Join...
- Click on Open Directory Utility...
- Double click on Active Directory. Note, you may click on the lock in the bottom left corner to unlock and make edits.
Or alternatively...
- Open Finder.
- Click on Go menu and then Go to folder...
- Type /System
- Open Library folder
- Open Core Services folder
- Open Directory Utility.app
- Double click on Active Directory. Note, you may click on the lock in the bottom left corner to unlock and make edits.
Add Mac to Active Directory using Directory Utility[edit]
- Make sure the lock in the bottom left corner of the window is in an unlocked position.
- You will see three tabs: Services Search Policy Directory Editor. By default you will be under the Services tab. If not, please click Services.
- Double click on Active Directory.
- Enter the following information:
- Leave Active Directory Forest alone.
- Active Directory Domain: enter your domain name (i.e. company.com for purposes of this guide)
- Computer ID: enter computer name
- Click on arrow next to Show Advanced Options.
- If you want to make an AD group administrators on the computer, click the Administrative tab.
- Make sure Allow administration by: is checked.
- Click on the plus sign and type enter AD group name to allow AD group to be administrators on the machine.
- Click on the Bind... button.
- Enter your AD username in the Username: text field
- Enter your AD password in the Password: text field
- The next step requires you to fill out Computer OU: which can be handled one of two ways
- First method: in reverse name format, type out the Organizational Unit (OU) the machine is going to be added to. For example: OU=MacOSX,OU=Computers,DC=company,DC=com. You will most likely need to remote into a PC machine and look at the Active Directory hierarchy for the domain to see the structure of OUs using Active Directory Users and Computers if you cannot remember the hierarchy. Please notice the use of commas and OU= which is important otherwise this may fail.
OU stands for Organizational Unit and DC stands for Domain Controller. CN stands for Class Name. - Second method: leave Computer OU: as is which should be CN=Computers,DC=company,DC=com. Instead remote into a PC with Active Directory Users and Computers. Go to the proper OU where the Mac will go and right-click the OU and select New -> Computer. Enter the Computer Name which needs to match the Computer ID filled out earlier. On the Mac, in Directory Utility you should now be able to click Bind.
OU stands for Organizational Unit. DC stands for Domain Controller. CN stands for Class Name.
If you will used the second method of adding a Mac to Active Directory, you will see the following message:
Please click OK. This is the Mac telling you that you will be overwriting a computer account in Active Directory which is fine and should not cause any problems.Join existing account?
The account information you entered specifies an account that already exists. Do you wish to join this computer to the existing computer account? This operation cannot be undone.
- First method: in reverse name format, type out the Organizational Unit (OU) the machine is going to be added to. For example: OU=MacOSX,OU=Computers,DC=company,DC=com. You will most likely need to remote into a PC machine and look at the Active Directory hierarchy for the domain to see the structure of OUs using Active Directory Users and Computers if you cannot remember the hierarchy. Please notice the use of commas and OU= which is important otherwise this may fail.
- Click the User Experience tab. This should be the default tab you see anyways.
- Check Create mobile account at login. This will ensure that a user's credentials are cached on the computer when they are off the network.
- Check Require confirmation before creating a mobile account. Otherwise you may see a prompt when you login with your AD credentials for the first time to create a mobile account folder which should be answered with Yes. And if given the option select Do not ask me again.
- If you are not using network homes, then uncheck Use UNC path from Active Directory to derive network home location
- Select OK.
Remove Mac from Active Directory using Directory Utility[edit]
It is possible to remove a machine from Active Directory from within Mac OS X. This assumes the machine is on AD domain.
- First, you will need to open Directory Utility.
- Make sure the lock in the bottom left corner of the window is in an unlocked position.
- You will see three tabs: Services Search Policy Directory Editor. By default you will be under the Services tab. If not, please click Services.
- Double click on Active Directory.
- Click on the Unbind... button.
- Enter your AD username in the Username: text field
- Enter your AD password in the Password: text field
- Select OK.
Scripts for Automation[edit]
There are two scripts available below which should work as well for most Active Directory environments. If not, modify as needed.
Vaughn Miller's script[edit]
The script can be found here: https://github.com/vmiller/vmiller_scripts/blob/master/Interactive_AD_Bind/joinad.sh
################################################################ # Interactive script to join Macs to Active Directory # # Written by Vaughn Miller # Version 1.1 December 7, 2011 # # In this sample the the FQDN is ad.comapny.com and the NetBios # name is COMAPNY You should change these values and the OU values # to match your environment ################################################################ #!/bin/bash RunAsRoot() { ## Pass in the full path to the executable as $1 if [[ "${USER}" != "root" ]] ; then echo echo "*** This application must be run as root. Please authenticate below. ***" echo sudo "${1}" && exit 0 fi } RunAsRoot "${0}" # If machine is already bound, exit the script check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` if [ "${check4AD}" = "Active Directory" ]; then echo "Computer is already bound to Active Directory.. \n Exiting script... "; exit 1 fi read -p "Enter computer name : " compName echo "Select OU for computer : " select ou in "OU=Laptops,OU=Office Computers,DC=ad,DC=company,DC=com" "OU=Office Computers,DC=ad,DC=company,DC=com"; do break done # Bind the machine to AD read -p "Enter account name : " acctName dsconfigad -add ad.company.com -computer $compName -username $acctName -ou "$ou" # If the machine is not bound to AD, then there's no purpose going any further. check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` if [ "${check4AD}" != "Active Directory" ]; then echo "Bind to Active Directory failed! \n Exiting script... "; exit 1 fi # set host names to match scutil --set HostName $compName scutil --set ComputerName $compName scutil --set LocalHostName $compName # Configure login options dsconfigad -mobile enable dsconfigad -mobileconfirm disable dsconfigad -useuncpath disable # If running Lion, configure the search paths. # The Search Paths show up different depending on what update is installed majorSysver=`sw_vers -productVersion | cut -c 1-4` minorSysver=`sw_vers -productVersion | cut -c 6` if [ $majorSysver = 10.7 ]; then if [ $minorSysver -gt 1 ]; then dscl /Search -delete / CSPSearchPath "/Active Directory/COMPANY/All Domains" dscl /Search -append / CSPSearchPath "/Active Directory/COMPANY" dscl /Search -append / CSPSearchPath "/Active Directory/COMPANY/All Domains" else dscl /Search -delete / CSPSearchPath "/Active Directory/AD/All Domains" dscl /Search -append / CSPSearchPath "/Active Directory/AD" dscl /Search -append / CSPSearchPath "/Active Directory/AD/All Domains" fi fi # Set login options to be more user friendly defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE chmod o+w /Library/Preferences defaults write "/Library/Preferences/com.apple.NetworkAuthorization" UseDefaultName -bool NO defaults write "/Library/Preferences/com.apple.NetworkAuthorization" UseShortName -bool YES chmod o-w /Library/Preferences ########################################################################### # Add Mobile Accounts ########################################################################### echo "Do you wish to setup mobile accounts now?" select i in "Yes" "No"; do break done while [ $i = "Yes" ]; do read -p "Enter user name : " userName /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $userName # Check to see if the account was created and then prompt to see # if user should be made an administrator if [ -d "/Users/$userName" ]; then echo "Make user administrator ? " select yn in "Yes" "No"; do break done if [ $yn == "Yes" ]; then dscl . -append /Groups/admin GroupMembership $userName fi fi echo "Another user?" select i in "Yes" "No"; do break done done
Nick Cobb's script[edit]
The script can be found here: https://github.com/loyaltyarm/vmiller_scripts/blob/master/ML_Interactive_AD_Join/joinAD.sh
#################################################### # Bind to Active Directory script # # written by Nick Cobb, 2012. # # # Based on script by Vaughn Miller # https://github.com/vmiller/vmiller_scripts/tree/master/Interactive_AD_Bind # # Reference man dsconfigad for additional parameters #################################################### #!/bin/bash RunAsRoot() { ## Pass in the full path to the executable as $1 if [[ "${USER}" != "root" ]] ; then echo echo "*** This application must be run as root. Please authenticate below. ***" echo sudo "${1}" && exit 0 fi } RunAsRoot "${0}" # If machine is already bound, exit the script check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` if [ "${check4AD}" = "Active Directory" ]; then echo "Computer is already bound to Active Directory.. \n Exiting script... "; exit 1 fi # Set machine to use AD domain for network time echo Setting Network Time... systemsetup -setusingnetworktime on read -p "Enter network time server address : " timeServ systemsetup -setnetworktimeserver $timeServ # Get user input for machine name read -p "Enter computer name : " compName # Bind the machine to AD read -p "Enter AD domain : " domainAddy read -p "Enter OU location (ie., OU=Apple,dc=your,dc=domain,dc=here,dc=com) : " ou read -p "Enter AD admin account name : " acctName echo echo Binding...this process may take a minute or two... echo Please enter your password below... sleep 1 dsconfigad -force -add $domainAddy -computer $compName -username $acctName -ou $ou # If the machine is not bound to AD, then there's no purpose going any further. check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"` if [ "${check4AD}" != "Active Directory" ]; then echo "Bind to Active Directory failed! \n Exiting script... "; exit 1 fi # set host names to match echo Setting Computer Name... sleep 2 scutil --set HostName $compName scutil --set ComputerName $compName scutil --set LocalHostName $compName sleep 1 # Configure login options # These settings correspond to the User Experience tab in Directory Utility echo Configuring Login Settings... sleep 1 dsconfigad -mobile enable dsconfigad -mobileconfirm disable dsconfigad -localhome enable dsconfigad -useuncpath enable dsconfigad -protocol smb sleep 1 # Configure administrator options # These settings correspond to the Administrative tab in Directory Utility read -r -p "Enter administrative domain groups (separate with commas, ie., DOMAIN\Domain Admins,DOMAIN\Support Group Admin) : " groupName echo Configuring Administrative Settings... sleep 1 dsconfigad -groups "$groupName" dsconfigad -alldomains enable sleep 1 # Configure security options echo Configuring Security Settings... sleep 1 dsconfigad -packetencrypt ssl sleep 1 # Set AD Search Policy echo Configuring Search Policy... dscl /Search -create / SearchPolicy CSPSearchPath dscl /Search -append / CSPSearchPath "/Active Directory/yourdomain/All Domains" dscl /Search/Contacts -create / SearchPolicy CSPSearchPath dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/yourdomain/All Domains" ########################################################################### # Add Mobile Accounts ########################################################################### echo "Do you wish to setup AD user accounts now?" select i in "Yes" "No"; do break done while [ $i = "Yes" ]; do read -p "Enter AD user account : " userName /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $userName # Check to see if the account was created and then prompt to see # if user should be made an administrator if [ -d "/Users/$userName" ]; then echo "Make user administrator ? " select yn in "Yes" "No"; do break done if [ $yn == "Yes" ]; then dscl . -append /Groups/admin GroupMembership $userName fi fi echo "Another user?" select i in "Yes" "No"; do break done done