Managing user accounts is a lot easier when they are centralized. Mac OS X supports NIS, LDAP and Active Directory. The last one am I using. Because I hate doing repetitive jobs, I searched some time ago for a script that I can run when a new Mac comes in and needs to be set up. The script below is slightly modified to fit my needs. Feel free to adapt to yours.
First we need to set the hostname. This can be done in multiple ways in OS X. To make sure it’s well set, we do it in all possible ways. For Active Directory it’s important that every bound computer has a unique name. I use our asset id, but a unique name can also be generated based on the mac address or serial number.
HOSTNAME="KM-001" scutil --set ComputerName $HOSTNAME scutil --set HostName $HOSTNAME scutil --set LocalHostName $HOSTNAME defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName -string $HOSTNAME
Because this is written to be a script and not a bunch of commands, there are some settings that need to be set.
# Standard parameters domain="domain.local" # fully qualified DNS name of Active Directory Domain udn="deploy" # username of a privileged network user password="useS0m3thingStr0ng" # password of a privileged network user ou="ou=computers,DC=domain,DC=local" # Distinguished name of container for the computer EG; ou=computers,DC=domain,DC=com # Advanced options alldomains="disable" # 'enable' or 'disable' automatic multi-domain authentication localhome="enable" # 'enable' or 'disable' force home directory to local drive protocol="afp" # 'afp' or 'smb' change how home is mounted from server mobile="enable" # 'enable' or 'disable' mobile account support for offline logon mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created useuncpath="disable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir user_shell="/bin/bash" # e.g., /bin/bash or 'none' preferred="-preferred domain.local" # Use the specified server for all Directory lookups and authentication # (e.g. '-nopreferred' or '-preferred ad.server.edu') admingroups="Domain Admins" # These comma-separated AD groups may administer the machine (e.g. '' or 'APPLE\mac admins')
End of configuration
Now we’re ready to bind our Mac to Active Directory
# Activate the AD plugin defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist sleep 5 ## Wait 5 seconds because AD is really slow and need some time to wake up # Bind to AD dsconfigad -f -a $HOSTNAME -domain $domain -u $udn -p "$password" # Configure advanced AD plugin options if [ "$admingroups" = "" ]; then dsconfigad -nogroups 2>&1> /dev/null else dsconfigad -groups "$admingroups" 2>&1> /dev/null fi dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred 2>&1> /dev/null # Adding search Path dscl /Search -create / SearchPolicy CSPSearchPath defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" Dsconfigad -passinterval 0 2>&1> /dev/null
Modifying directory service settings
What to do when your Macs are already bound to an Active Directory server and need modification to their settings? This can be done trough the following command. I reused the previous variables.
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred 2>&1> /dev/null
Tired of Active Directory?
It’s even easier to remove the link between OS X and Active Directory. Execute the following command and you’re relieved.
dsconfigad -r -u $udn -p $password