Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Binding and Unbinding to Active Directory from Mac OS via Command Line

Binding and Unbinding to Active Directory from Mac OS via Command Line

  • Open the Terminal Application
  • Type in sudo -i and type in your Mac Administrator account password. sudo gives you root level or administrator level privileges.

To View current Active Directory Settings

dsconfigad -show

To Unbind a Computer from an Active Directory Domain

dsconfigad -f -r -u

Note: <username> needs to be replaced with domain administrator who has binding/unbinding rights.


To Bind a Mac Laptop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -mobile enable -mobileconfirm enable -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable


To Bind a Mac Desktop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable

@roshangautam

This comment has been minimized.

Copy link

@roshangautam roshangautam commented Nov 16, 2014

to force unbind:

sudo dsconfigad -force -remove -u johndoe -p nopasswordhere

username/password can be anything.

@PsychoData

This comment has been minimized.

Copy link

@PsychoData PsychoData commented Nov 20, 2014

Why are the laptop and desktop ones different? what does "-mobile enable -mobileconfirm enable" do?

@spuder

This comment has been minimized.

Copy link

@spuder spuder commented Jan 2, 2015

PsycoData, you can find the answers on this page. https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/dsconfigad.8.html
Those options allow offline logins

@wwb

This comment has been minimized.

Copy link

@wwb wwb commented Nov 18, 2015

@roshangutam -- That force unbind will work on the mac but it will leave some cruft in AD -- that is why you need the credentials.

@cybertk

This comment has been minimized.

@phillpafford

This comment has been minimized.

Copy link

@phillpafford phillpafford commented May 26, 2016

Does binding the Mac to the domain force the user to login with their AD credentials? or can they still use their local account and just bind the computer?

@cement-head

This comment has been minimized.

Copy link

@cement-head cement-head commented Oct 9, 2017

Will this permanently unbind the mac (say a laptop) from AD?

@pquerner

This comment has been minimized.

Copy link

@pquerner pquerner commented Oct 17, 2018

The username field is not properly escaped at https://gist.github.com/bzerangue/6886182#to-unbind-a-computer-from-an-active-directory-domain so its invisible in the browser.

@heruan

This comment has been minimized.

Copy link

@heruan heruan commented Mar 19, 2019

How to debug this? Any log files? I tried with sudo odutil set log debug but on Mojave it doesn't create any log file.

@whampt

This comment has been minimized.

Copy link

@whampt whampt commented May 30, 2019

sudo log stream --debug --predicate 'subsystem == "com.apple.opendirectoryd"'
Will allow you to see the log as it goes. Mojave has gone to a 'unified system log' https://eclecticlight.co/2018/09/25/how-mojave-changes-the-unified-log/

@kvellano

This comment has been minimized.

Copy link

@kvellano kvellano commented Aug 8, 2019

Is there special syntax associated with the -u and -p for unbinding? I don't want to force unbind leaving cruft in AD. I keep getting "Invalid Credentials supplied to remove the bound server" I've tried:

For -u
ou\admin-account
ou\admin-account
admin-account

For -p
pa$$w0rd^
pa$$w0rd^

NOTE - these are random credentials but I am structuring them here to be very similar, including the $ in the password.

I believe bash is messing with my credentials...If I echo the password with the "" in front of the $ signs, it echos properly. If I echo ou\admin-account with the additional , it echoes properly.

Help please :D

@azwarners

This comment has been minimized.

Copy link

@azwarners azwarners commented Sep 10, 2020

Has anyone ever found a cause for "Node name wasn't found. (2000)" besides time difference or DNS?

I ran "net time" on our AD controller and it matches the time on my MacBook nearly to the second. It's using our network's DHCP for DNS settings.

I haven't been able to find any other reasons for this error when searching online. I had no problems binding it to the domain manually through System Preferences.

UPDATE:
Turned out to be a switch that wasn't working after all. When configuring MacBooks at work, we're supposed to check the box, "Prefer this domain server:", and then enter our organization's domain. I tried automating this by adding the -preferred switch followed by our domain, but apparently that breaks dsconfigad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.