Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Binding and Unbinding to Active Directory from Mac OS via Command Line

Binding and Unbinding to Active Directory from Mac OS via Command Line

  • Open the Terminal Application
  • Type in sudo -i and type in your Mac Administrator account password. sudo gives you root level or administrator level privileges.

To View current Active Directory Settings

dsconfigad -show

To Unbind a Computer from an Active Directory Domain

dsconfigad -f -r -u

Note: <username> needs to be replaced with domain administrator who has binding/unbinding rights.


To Bind a Mac Laptop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -mobile enable -mobileconfirm enable -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable


To Bind a Mac Desktop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable

@roshangautam

This comment has been minimized.

Copy link

commented Nov 16, 2014

to force unbind:

sudo dsconfigad -force -remove -u johndoe -p nopasswordhere

username/password can be anything.

@PsychoData

This comment has been minimized.

Copy link

commented Nov 20, 2014

Why are the laptop and desktop ones different? what does "-mobile enable -mobileconfirm enable" do?

@spuder

This comment has been minimized.

Copy link

commented Jan 2, 2015

PsycoData, you can find the answers on this page. https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/dsconfigad.8.html
Those options allow offline logins

@wwb

This comment has been minimized.

Copy link

commented Nov 18, 2015

@roshangutam -- That force unbind will work on the mac but it will leave some cruft in AD -- that is why you need the credentials.

@cybertk

This comment has been minimized.

@phillpafford

This comment has been minimized.

Copy link

commented May 26, 2016

Does binding the Mac to the domain force the user to login with their AD credentials? or can they still use their local account and just bind the computer?

@cement-head

This comment has been minimized.

Copy link

commented Oct 9, 2017

Will this permanently unbind the mac (say a laptop) from AD?

@pquerner

This comment has been minimized.

Copy link

commented Oct 17, 2018

The username field is not properly escaped at https://gist.github.com/bzerangue/6886182#to-unbind-a-computer-from-an-active-directory-domain so its invisible in the browser.

@heruan

This comment has been minimized.

Copy link

commented Mar 19, 2019

How to debug this? Any log files? I tried with sudo odutil set log debug but on Mojave it doesn't create any log file.

@whampt

This comment has been minimized.

Copy link

commented May 30, 2019

sudo log stream --debug --predicate 'subsystem == "com.apple.opendirectoryd"'
Will allow you to see the log as it goes. Mojave has gone to a 'unified system log' https://eclecticlight.co/2018/09/25/how-mojave-changes-the-unified-log/

@kvellano

This comment has been minimized.

Copy link

commented Aug 8, 2019

Is there special syntax associated with the -u and -p for unbinding? I don't want to force unbind leaving cruft in AD. I keep getting "Invalid Credentials supplied to remove the bound server" I've tried:

For -u
ou\admin-account
ou\admin-account
admin-account

For -p
pa$$w0rd^
pa$$w0rd^

NOTE - these are random credentials but I am structuring them here to be very similar, including the $ in the password.

I believe bash is messing with my credentials...If I echo the password with the "" in front of the $ signs, it echos properly. If I echo ou\admin-account with the additional , it echoes properly.

Help please :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.