Nine41 Consulting | Bind macOS to Active Directory Using a Shell Script
apple, device management, dep, vpp, systems management, landesk, ivanti, lanrev, absolute, heat, mdm,
16428
post-template-default,single,single-post,postid-16428,single-format-standard,qode-quick-links-1.0,ajax_fade,page_not_loaded,,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-11.0,qode-theme-bridge,wpb-js-composer js-comp-ver-5.1.1,vc_responsive
 

Bind macOS to Active Directory Using a Shell Script

Bind macOS to Active Directory Using a Shell Script

In the first part of January, I released a post discussing how you could bind a Mac to Active Directory using configuration profiles. In my opinion, using a configuration profile to bind a Mac machine is the preferred method, but it is not the only way.

Apple has a utility called dsconfigad, built into the OS itself, that can be leveraged via a shell script. Essentially, the dsconfigad tool allows command-line configuration of the Active Directory as if you were using the Directory Utility application to manually configure Active Directory.

If you run ‘man dsconfigad’ inside of Terminal, you’ll see all of the available options and details of what would be required and optional.

In my example script, I used just four of the available flags.

-add

Example: -add fully.qualified.domain.name
 The fully-qualified DNS name of the Domain to be used when
 adding the computer to the Directory (e.g., domain.ads.exam-
 ple.com).

 

-username

Example: -username administrator
 Username of a Network account that has administrative privileges
 to add/remove this computer to/from the specified Domain

 

-password

Example: -password mySecretPassword
 Password to use in conjunction with the specified username. If
 this is not specified, you will be prompted for entry. Note
 that using this option has a security risk due to a small window
 where the password could be captured from running process list.
 Consider using the prompting mechanism to ensure passwords are
 not exposed unexpectedly.

 

-computer

Example: -computer computerid
 The "computerid" to add the specified Domain

Below is my full script including the shebang and variables.

Full Script

#!/bin/sh

# domainBind.sh
# Created by Bennett Norton on 11/14/16.
# This script will bind a Mac to the specified Active Directory domain

# Script Variables
adDomain=mydomain.com
adminUser=administrator
adminPassword=adminPassword
computerID=$( scutil --get ComputerName )

# Do the domain binding
dsconfigad -add "${adDomain}" -username "${adminUser}" -password "${adminPassword}" \
-computer "${computerID}"

As can be seen, the script to bind a Mac to a domain can be fairly straight forward. I’ve added in a couple of variables to make it easy for you to copy my script and use it directly or you can just download it from GitHub. Just change out the variable results with your specific domain, username and password. You can leave the computerID variable to the call I make to obtain the ComputerID from the computer itself, or you can insert your own. That part is up to you.

If any of you are wondering if I really am putting a username and password in clear text within this script and thinking I am crazy, then know your curiosity is well founded. This is the exact reason I prefer to use a configuration profile as opposed to a script. However, it is not too hard to setup a unique account that can bind a machine but that does not have any other privileges…just in case this account is somehow compromised.

In addition, while I don’t include this step in my example script above, you may choose to delete the file copied down as your last command in the script. That way it’s not just sitting around on a machine waiting for some wondering eyes to discover it.

Just make sure that when you’re all done with your script, that you give it the execute permissions it needs

chmod +x /path/to/your/script.sh

 

Create Your Package for LANDESK Management Suite

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menubar, press the New Package button and select New Macintosh Package > Macintosh Agent.
  5. Give the package a name, something like Domain Bind Script
  6. Provide a description if desired
  7. Set the primary file to the sh file you previously created
  8. Fill out the Metadata details if desired
  9. Save the package

 

Deploy Your Package

  1. Right click on the Domain Bind Package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push.
  5. If you desire the end user to be able to initiate the domain bind action, set the radio button in the Portal Settings to either Recommended or Optional, otherwise set it to Required and it will automatically apply the next time the client is scheduled to run policies
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time
No Comments

Post A Comment

ARE YOU READY TO GET STARTED?
Please fill out your information, and a specialist will reach out to discuss our services in more details.
Your Information will never be shared with any third party.
        
Free Training Videos
Register to gain access to all of our free content.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Additional Questions?
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Pay by PO?
Provide us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Pay by PO
Send us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Additional Questions?
Send us your contact information and your questions and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
YOUR QUESTIONS
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Free Training Videos
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL