Binding OSX to Active Directory

Managing user accounts is a lot easier when they are centralized. Mac OS X supports NIS, LDAP and Active Directory. The last one am I using. Because I hate doing repetitive jobs, I searched some time ago for a script that I can run when a new Mac comes in and needs to be set up. The script below is slightly modified to fit my needs. Feel free to adapt to yours.

First we need to set the hostname. This can be done in multiple ways in OS X. To make sure it’s well set, we do it in all possible ways. For Active Directory it’s important that every bound computer has a unique name. I use our asset id, but a unique name can also be generated based on the mac address or serial number.

HOSTNAME="KM-001"

scutil --set ComputerName $HOSTNAME
scutil --set HostName $HOSTNAME
scutil --set LocalHostName $HOSTNAME
defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName -string $HOSTNAME

Because this is written to be a script and not a bunch of commands, there are some settings that need to be set.

# Standard parameters

domain="domain.local" # fully qualified DNS name of Active Directory Domain
udn="deploy" # username of a privileged network user
password="useS0m3thingStr0ng" # password of a privileged network user
ou="ou=computers,DC=domain,DC=local" # Distinguished name of container for the computer EG; ou=computers,DC=domain,DC=com

# Advanced options
alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication
localhome="enable" # 'enable' or 'disable' force home directory to local drive
protocol="afp" # 'afp' or 'smb' change how home is mounted from server
mobile="enable" # 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="disable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash" # e.g., /bin/bash or 'none'
preferred="-preferred domain.local" # Use the specified server for all Directory lookups and authentication
# (e.g. '-nopreferred' or '-preferred ad.server.edu')
admingroups="Domain Admins" # These comma-separated AD groups may administer the machine (e.g. '' or 'APPLE\mac admins')

End of configuration

Now we’re ready to bind our Mac to Active Directory

# Activate the AD plugin

defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

sleep 5 ## Wait 5 seconds because AD is really slow and need some time to wake up

# Bind to AD

dsconfigad -f -a $HOSTNAME -domain $domain -u $udn -p "$password"
# Configure advanced AD plugin options

if [ "$admingroups" = "" ]; then
  dsconfigad -nogroups 2>&1> /dev/null
else
  dsconfigad -groups "$admingroups" 2>&1> /dev/null
fi

dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred  2>&1> /dev/null
# Adding search Path
dscl /Search -create / SearchPolicy CSPSearchPath
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
Dsconfigad -passinterval 0 2>&1> /dev/null

Modifying directory service settings

What to do when your Macs are already bound to an Active Directory server and need modification to their settings? This can be done trough the following command. I reused the previous variables.

dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm  $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred  2>&1> /dev/null

Tired of Active Directory?

It’s even easier to remove the link between OS X and Active Directory. Execute the following command and you’re relieved.

dsconfigad -r -u $udn -p $password
comments powered by Disqus