Binding and Unbinding to Active Directory from Mac OS via Command Line

macs-on-active-directory.md

Binding and Unbinding to Active Directory from Mac OS via Command Line

• Open the Terminal Application
• Type in sudo -i and type in your Mac Administrator account password. sudo gives you root level or administrator level privileges.

To View current Active Directory Settings

dsconfigad -show

To Unbind a Computer from an Active Directory Domain

dsconfigad -remove -username <username> -password <password> [-localuser <localadmin> -localpassword <localpass>]

Note: <username> needs to be replaced with domain administrator who has binding/unbinding rights.

---

To Bind a Mac Laptop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -add <domain> -computer <computer-name> -username <username> -password <password> -ou "CN=Computers,DC=network,DC=example,DC=com" [-force] [-localuser <localadmin> -localpassword <localpass>] -mobile enable -mobileconfirm enable -localhome enable -useuncpath enable -protocol smb -groups "Domain Admins,Enterprise Admins" -alldomains enable -packetsign require -packetencrypt require

---

To Bind a Mac Desktop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -add <domain> -computer <computer-name> -username <username> -password <password> -ou "CN=Computers,DC=network,DC=example,DC=com" [-force] [-localuser <localadmin> -localpassword <localpass>] -localhome enable -useuncpath enable -protocol smb -groups "Domain Admins,Enterprise Admins" -alldomains enable -packetsign require -packetencrypt require

to force unbind:

sudo dsconfigad -force -remove -u johndoe -p nopasswordhere

username/password can be anything.

Why are the laptop and desktop ones different? what does "-mobile enable -mobileconfirm enable" do?

PsycoData, you can find the answers on this page. https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/dsconfigad.8.html
Those options allow offline logins

@RoshanGutam -- That force unbind will work on the mac but it will leave some cruft in AD -- that is why you need the credentials.

A related guide: Using advanced Active Directory options in a configuration profile

Does binding the Mac to the domain force the user to login with their AD credentials? or can they still use their local account and just bind the computer?

Will this permanently unbind the mac (say a laptop) from AD?

The username field is not properly escaped at https://gist.github.com/bzerangue/6886182#to-unbind-a-computer-from-an-active-directory-domain so its invisible in the browser.

How to debug this? Any log files? I tried with sudo odutil set log debug but on Mojave it doesn't create any log file.

sudo log stream --debug --predicate 'subsystem == "com.apple.opendirectoryd"'
Will allow you to see the log as it goes. Mojave has gone to a 'unified system log' https://eclecticlight.co/2018/09/25/how-mojave-changes-the-unified-log/

Is there special syntax associated with the -u and -p for unbinding? I don't want to force unbind leaving cruft in AD. I keep getting "Invalid Credentials supplied to remove the bound server" I've tried:

For -u
ou\admin-account
ou\admin-account
admin-account

For -p
pa$$w0rd^
pa$$w0rd^

NOTE - these are random credentials but I am structuring them here to be very similar, including the $ in the password.

I believe bash is messing with my credentials...If I echo the password with the "" in front of the $ signs, it echos properly. If I echo ou\admin-account with the additional , it echoes properly.

Help please :D

Has anyone ever found a cause for "Node name wasn't found. (2000)" besides time difference or DNS?

I ran "net time" on our AD controller and it matches the time on my MacBook nearly to the second. It's using our network's DHCP for DNS settings.

I haven't been able to find any other reasons for this error when searching online. I had no problems binding it to the domain manually through System Preferences.

UPDATE:
Turned out to be a switch that wasn't working after all. When configuring MacBooks at work, we're supposed to check the box, "Prefer this domain server:", and then enter our organization's domain. I tried automating this by adding the -preferred switch followed by our domain, but apparently that breaks dsconfigad.

I don't see < username > after "dsconfigad -f -r -u".

@jszabo98 - in your macOS Terminal, run the following help command, that will show what options you have available to you.

dsconfigad -h

I'm pointing out a typo in this document. Oh it's fixed.