Skip to content

Instantly share code, notes, and snippets.

@bzerangue
Last active October 12, 2023 21:07
  • Star 56 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save bzerangue/6886182 to your computer and use it in GitHub Desktop.
Binding and Unbinding to Active Directory from Mac OS via Command Line

Binding and Unbinding to Active Directory from Mac OS via Command Line

  • Open the Terminal Application
  • Type in sudo -i and type in your Mac Administrator account password. sudo gives you root level or administrator level privileges.

To View current Active Directory Settings

dsconfigad -show

To Unbind a Computer from an Active Directory Domain

dsconfigad -f -r -u

Note: <username> needs to be replaced with domain administrator who has binding/unbinding rights.


To Bind a Mac Laptop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -mobile enable -mobileconfirm enable -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable


To Bind a Mac Desktop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -a <computer-name> -u <username> -ou "CN=Computers,DC=network,DC=pcpc,DC=org" -domain <domain> -localhome enable -useuncpath enable -groups "Domain Admins,Enterprise Admins" -alldomains enable

@PsychoData
Copy link

Why are the laptop and desktop ones different? what does "-mobile enable -mobileconfirm enable" do?

@spuder
Copy link

spuder commented Jan 2, 2015

PsycoData, you can find the answers on this page. https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/dsconfigad.8.html
Those options allow offline logins

@wwb
Copy link

wwb commented Nov 18, 2015

@RoshanGutam -- That force unbind will work on the mac but it will leave some cruft in AD -- that is why you need the credentials.

@cybertk
Copy link

cybertk commented Nov 25, 2015

@phillpafford
Copy link

Does binding the Mac to the domain force the user to login with their AD credentials? or can they still use their local account and just bind the computer?

@cement-head
Copy link

Will this permanently unbind the mac (say a laptop) from AD?

@pquerner
Copy link

The username field is not properly escaped at https://gist.github.com/bzerangue/6886182#to-unbind-a-computer-from-an-active-directory-domain so its invisible in the browser.

@heruan
Copy link

heruan commented Mar 19, 2019

How to debug this? Any log files? I tried with sudo odutil set log debug but on Mojave it doesn't create any log file.

@whampt
Copy link

whampt commented May 30, 2019

sudo log stream --debug --predicate 'subsystem == "com.apple.opendirectoryd"'
Will allow you to see the log as it goes. Mojave has gone to a 'unified system log' https://eclecticlight.co/2018/09/25/how-mojave-changes-the-unified-log/

@kvellano
Copy link

kvellano commented Aug 8, 2019

Is there special syntax associated with the -u and -p for unbinding? I don't want to force unbind leaving cruft in AD. I keep getting "Invalid Credentials supplied to remove the bound server" I've tried:

For -u
ou\admin-account
ou\admin-account
admin-account

For -p
pa$$w0rd^
pa$$w0rd^

NOTE - these are random credentials but I am structuring them here to be very similar, including the $ in the password.

I believe bash is messing with my credentials...If I echo the password with the "" in front of the $ signs, it echos properly. If I echo ou\admin-account with the additional , it echoes properly.

Help please :D

@azwarners
Copy link

azwarners commented Sep 10, 2020

Has anyone ever found a cause for "Node name wasn't found. (2000)" besides time difference or DNS?

I ran "net time" on our AD controller and it matches the time on my MacBook nearly to the second. It's using our network's DHCP for DNS settings.

I haven't been able to find any other reasons for this error when searching online. I had no problems binding it to the domain manually through System Preferences.

UPDATE:
Turned out to be a switch that wasn't working after all. When configuring MacBooks at work, we're supposed to check the box, "Prefer this domain server:", and then enter our organization's domain. I tried automating this by adding the -preferred switch followed by our domain, but apparently that breaks dsconfigad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment