Bind to AD using Apple Remote Desktop
Need to bind a handful of Macs to Active Directory remotely? There are a couple scripts online already, including one from MacEnterprise and from Bombich. But I’ve never been able to get those to work when using with ARD. Either the AD plugin wasn’t activated or AD wasn’t added to the authentication path, etc. There’s a lot of steps that has to occur to bind and sometimes timing is everything and at first I tried adding sleep commands all over the place but that didn’t consistently work either.
So here is the script that is working consistently for us. It is basically Bombich’s script slightly modified. His is intended to be used as a loginhook and works well for that purpose, but I needed to make some changes to get it to work over ARD.
There may be some options in there that I removed, so compare to Bombich’s script for any options I may have omitted for my use.
You can download it from here or copy & paste from below:
#!/bin/sh ############################ AD_Bind_ARD ########################### # Patrick Gallagher | patgmac@gmail.com # http://macadmincorner.com # This is a script that will bind a Mac to AD from ARD. # Modified from Mike Bombich's ad-bind-login-tiger.sh script # which can be found at http://www.bombich.com/mactips/scripts.html # Needs to be modified for your enviornment #################################################################### computerid=`/usr/sbin/scutil --get LocalHostName` # Standard parameters domain="domain.school.edu" # fully qualified DNS name of Active Directory Domain udn="username" # username of a privileged network user password="password" # password of a privileged network user ou="CN=Computers,DC=domain,DC=school,DC=edu" # Distinguished name of container for the computer # Advanced options alldomains="enable" # 'enable' or 'disable' automatic multi-domain authentication localhome="enable" # 'enable' or 'disable' force home directory to local drive protocol="smb" # 'afp' or 'smb' change how home is mounted from server mobile="enable" # 'enable' or 'disable' mobile account support for offline logon mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created useuncpath="disable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir user_shell="/bin/bash" # e.g., /bin/bash or "none" preferred="-nopreferred" # Use the specified server for all Directory lookups and authentication # (e.g. "-nopreferred" or "-preferred ad.server.edu") admingroups="YOURDOMAIN\domain admins" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\mac admins") # Login hook setting -- specify the path to a login hook that you want to run instead of this script ### End of configuration # Activate the AD plugin defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist sleep 5 # Bind to AD dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou" # Configure advanced AD plugin options if [ "$admingroups" = "" ]; then dsconfigad -nogroups else dsconfigad -groups "$admingroups" fi dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \ -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \ -shell $user_shell $preferred # Restart DirectoryService (necessary to reload AD plugin activation settings) killall DirectoryService # Add the AD node to the search path if [ "$alldomains" = "enable" ]; then csp="/Active Directory/All Domains" else csp="/Active Directory/$domain" fi #dscl /Search -create / SearchPolicy CSPSearchPath #dscl /Search -append / CSPSearchPath "/Active Directory/All Domains" #dscl /Search/Contacts -create / SearchPolicy CSPSearchPath #dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains" # This works in a pinch if the above code does not defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3 defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 3 plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
No related posts.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Hey Patrick
Thanks for the very helpful script. But could you tell me the steps on how exactly I would run this through ARD? I tried running this through ARD and it gives me error “Unable to obtain rights to change Directory Services”.
Thanks.
You need to run as root in the “Send unix command” window.
ok thanks that seemed to have worked. Got a couple more:
Would you mind telling me what needs to be added to this script so that I could randomly rename the computers and force logouts after the binding.
I see that you mentioned about loginhooks. Are loginhooks for running scripts also copied to multiple computers through ARD? What other ways are there to run scripts for a bunch of computers over the network?
You want to make sure each machine has a unique name before binding so you don’t end up with duplicate computer records in AD. It’s usually safe to use the MAC address of the NIC as whole or part of the name. Something like:
nicAddress=`ifconfig en0 | grep ether | awk ‘{print $2}’`
uniqueName=”Mac-$nicAddress”
Just make sure whatever you do comes out to 16 characters or less because of the NetBIOS limit in Windows.
This script was based on Bombich’s script which was used as a login hook, the details of that are http://www.bombich.com/mactips/scripts.html and http://www.bombich.com/mactips/loginhooks.html. The idea was that you would make it a loginhook on a new image, then the loginhook would delete itself after binding. If you are binding existing machines, you don’t want to use a loginhook.
ARD is probably the best way to run scripts over a bunch of machines, but other options would be other DMS like LANDesk, LANRev or Casper. But even though I use LANDesk, I would still use ARD for this because I want to be able to see if something went wrong at a glance like ARD shows. LANDesk would just report a success (exit 0) or failure (any exit code non-zero).
Few words….well put patrick! that means a lot and clears up so many things for me, being new to macs (this is our first year with macs).
And yes unfortunately this whole deal struck to me only after all the 500+ machines were imaged and it would be a real pain to re-image of all them again!
I have heard about the LANDesk option elsewhere but I will definitely look into the LANRev & Casper options. And please do care to comment in future if you come across similar better/new tools. Anything that eases the management/setup of machines/policies in a mixed platform.
hey patrick
got one more for you today. I was trying out the script again and was trying to get the OD server entry also to show up in Search Policies (below the AD entry) in Directory Utility “Authentication” tab and added this to the script
#dscl /Search -append / CSPSearchPath “/LDAPv3/127.0.0.1″
and also:
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Node Custom Path Array” -array “/LDAPv3/127.0.0.1″
Now I am not sure but would these entries not work?
/LDAPv3/127.0.0.1 is only a valid address “from” your OD servers. You need to specify it as /LDAPv3/servername.domain.com
Yes sorry /LDAPv3/myodserver.com is what I used. I just typed in the wrong thing here. I just needed to confirm that it was the right code to add in the script for getting the LDAP entry in the search policy. It wasn’t working for some reason….Any other lines that I need to add for binding the clients to OD successfully, along with binding to AD? Thanks.
Here’s what I use:
dsconfigldap -v -a server.school.edu -n server.school.edu
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath /LDAPv3/server.school.edu
killall DirectoryService
alright i will try that out. thanks.
OOC, why the last plutli line to convert the prefs file back to XML? I though OS X was agnostic as to binary vs XML properties lists, and that defaults would honor their current state. Does binding involve an exception to the rule?
@Joshua. This script originated from the 10.3 or 10.4 days when it was necessary. And as I mentioned, this script is based on Mike Bombichs script from years ago. If the plutil command never stopped working, I never bothered changing it. Perhaps the plutil command is still needed in 10.4? If so, I would leave it as is unless all your machines are > 10.5.