Bind to Active Directory Applescript

by on July 28, 2007 » Add more comments.

There are several methods out there to automate binding to Active Directory including over Apple Remote Desktop, after a machine has been imaged using a login hook and a number of other methods.

We are just starting to move our Macs to AD. Most of the machines are already imaged and will need to be put on the domain one by one by various members of my team. ARD is not always an option (not everyone on my team uses it). So login hooks and ARD are not always the best option for us.

So I created an applescript that would could bind a machine to AD with consistent settings and less room for error. This script will prompt you for a domain admin user name and password so it doesn’t have to be stored in the script. It will need to be modified for your environment.

You can download it from here.

Please let me know how it works for you.

(*
Bind to AD
 
Copyright © 2007 Patrick Gallagher
http://blog.macadmincorner.com
Free to distribute. 
No warranty expressed or implied. 
 
This script will bind the Mac it is running on to Active Directory. Read comments below and edit for your enviornment. 
*)
 
--get a domain admin user name and password which will be used to bind
set user_name_dialog to display dialog "Enter a domain admin account name: " default answer "" buttons {"Next"} default button "Next"
set user_name to text returned of user_name_dialog
set user_password_dialog to display dialog "Enter the domain admin password. " & return & return & "WARNING: If you are running Panther (MacOS 10.3), your input will be displayed in this box as clear text." default answer "" buttons {"Next"} default button "Next" with hidden answer
set user_password to text returned of user_password_dialog
 
--We want to verify the computer name is proper before we bind
set currentName to (do shell script "scutil --get ComputerName")
set computerName to text returned of (display dialog "Verify the computer name is correct" default answer currentName)
 
--Set the computer name on the computer incase it was just renamed in the previous step
do shell script "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup setcomputername " & computerName & space & "setlocalsubnetname " & computerName with administrator privileges
 
--Start binding
-- Change AD.DOMAIN.COM to your AD domain
-- Also change DC=ad,DC=domain,DC=com
do shell script "dsconfigad -f -a " & computerName & space & "-domain AD.DOMAIN.COM -u " & user_name & " -p " & user_password & " -ou \"CN=Computers,DC=ad,DC=domain,DC=com\"" with administrator privileges
 
--Change MYDOMAIN\\deptAdmins to your domain\youradminGroup
--The -alldomains enable is optional. If you remove, you will also need to modify anything that mentions "All Domains" below and replace with your domain
do shell script "dsconfigad -alldomains enable -localhome enable -protocol smb -mobile enable -mobileconfirm disable -useuncpath enable -groups \"MYDOMAIN\\deptAdmins\"" with administrator privileges
do shell script "defaults write /Library/Preferences/DirectoryService/DirectoryService 'Active Directory' Active" with administrator privileges
do shell script "plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist" with administrator privileges
do shell script "killall DirectoryService" with administrator privileges
delay 20
 
--I do this to help get DirectoryService running again in time to do the next steps (weird I know)
tell application "Terminal" to activate
tell application "Terminal" to quit
 
do shell script "dscl /Search -create / SearchPolicy CSPSearchPath" with administrator privileges
delay 5
do shell script "dscl /Search -append / CSPSearchPath \"/Active Directory/All Domains\"" with administrator privileges
do shell script "dscl /Search/Contacts -create / SearchPolicy CSPSearchPath" with administrator privileges
do shell script "dscl /Search/Contacts -append / CSPSearchPath \"/Active Directory/All Domains\"" with administrator privileges
 
do shell script "killall DirectoryService" with administrator privileges
delay 20
tell application "Directory Utility" to activate
 
display dialog (do shell script "dsconfigad -show" with administrator privileges)

Find more like this: AD Integration, Automation, Mac, Scripting , , , , ,


19 Responses to Bind to Active Directory Applescript

  • JoeG says:

    Great script! I’ve modified for my own use and have been using it to join 50+ Macs to our domain.

  • adamM says:

    Hello,

    This is a great script however I’m having trouble getting it to work. I keep getting errors regarding my Directory service node. I have checked and double checked that the node address is correct. If you could get in touch with me by way of email i would be forever grateful.

    Thanks

    adam [dot] moss [at] penton [dot] com

  • Reed says:

    this may sound a little sily but how am I supposed to edit a .app?

  • PatGmac says:

    Open it with Script Editor.

  • Applescipt AD bind:
    getting error: ON
    using ARD V3
    SCRIPT SENT:
    –Set the computer name on the computer incase it was just renamed in the previous step
    do shell script “/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/systemsetup setcomputername ” & computerName & space & “setlocalsubnetname ” & computerName with administrator privileges
    ERROR:
    /bin/sh: /system/library/coreservices/remotemanagement/ardagent.app.contents/support/systesetup: No such file or directory

  • Patrick says:

    This applescript is not intended to be used with ARD. Use this one instead for ARD: http://blog.macadmincorner.com/bind-to-ad-using-apple-remote-desktop/

  • I’m not using it on ARD. Because it was trying to dump this file into Content which ARDAgent.
    I mentioned ARD version. Just running a regulary apple script

  • Patrick says:

    Ok.

    I bet the problem is that this script is a bit out dated. Apple moved systemsetup with the ARD 3.1 update to /usr/sbin/systemsetup. Change any references to systemsetup with the new path and it should work again.

  • Mike says:

    Where can i download the script the link seems to be broken.

  • Patrick says:

    @Mike
    Fixed. Sorry ’bout that. Not sure where it went.

  • Richard says:

    Interesting Note, in 10.4 and earlier (as long as the right ARD client version is installed) systemsetup still resides in /System/Library/CoreServices/RemoteManagement/ARDAgent.app/contents/Support/

    10.5 and later systemsetup resides in /usr/sbin

  • Mike says:

    Great stuff thanks.

  • Mark says:

    great script. not sure if you are still maintaining it.
    Im trying to get it to work with Lion.

    I updated it to reflect the location of the systemsetup

    But it gives an error:
    error “/bin/sh: -c: line 0: unexpected EOF while looking for matching `\”‘
    /bin/sh: -c: line 1: syntax error: unexpected end of file” number 2

    do shell script “dsconfigad -f -a ” & computerName & space & “-domain xxxxx.xxxxxxxxxxx.xxx -u” & user_name & ” -p ” & user_password & ” -ou \”CN=_non-Assigned_Mobile,OU=xxxxx_Computers,DC=xxxxx,DC=xxxxxxxxxx,DC=EDU” with administrator privileges

    Not sure what that means.

    ps: I’ve changed the domain to x’s for anonymity.

    Any help you can provide would be amazing.

    Mark

  • Kara Ousley says:

    Have you updated this script for OS X.7 (Lion)? would love to use it.

  • Mykal says:

    do you have n updated version of this script for OS X.7 (Lion)

  • Mykal says:

    OSX 10.7.3 to be exact..

  • Jonas Steinberg says:

    Do you know of any way to actually automate via a script the generation of actual computer objects in AD, as opposed to simply binding a computer to an already existing AD computer object, which is what I am assuming this script does?

  • Patrick says:

    Bind scripts will create the computer object if it’s not already present (assuming your account has permission to do so).

  • Sean says:

    At line 16 of the script I am encountering the following error: “/bin/sh: /System/Library/CoreServices/RemoteManagment/ARDAgent.app/Contents/Support/systemsetup: No such file or directory”

    Is this the result of the code being outdated? I am trying to run it on Yosemite OSX. The computer I am testing it on is already connected to an AD, is that effecting the code at this point?

Leave a Reply

Your email address will not be published. Required fields are marked *