Bind to AD using Apple Remote Desktop

by on September 2, 2007 » Add more comments.

Need to bind a handful of Macs to Active Directory remotely? There are a couple scripts online already, including one from MacEnterprise and from Bombich. But I’ve never been able to get those to work when using with ARD. Either the AD plugin wasn’t activated or AD wasn’t added to the authentication path, etc. There’s a lot of steps that has to occur to bind and sometimes timing is everything and at first I tried adding sleep commands all over the place but that didn’t consistently work either.

So here is the script that is working consistently for us. It is basically Bombich’s script slightly modified. His is intended to be used as a loginhook and works well for that purpose, but I needed to make some changes to get it to work over ARD.

There may be some options in there that I removed, so compare to Bombich’s script for any options I may have omitted for my use.

You can download it from here or copy & paste from below:

#!/bin/sh
 
############################ AD_Bind_ARD ###########################
# Patrick Gallagher | patgmac@gmail.com
# http://macadmincorner.com
# This is a script that will bind a Mac to AD from ARD.
# Modified from Mike Bombich's ad-bind-login-tiger.sh script
# which can be found at http://www.bombich.com/mactips/scripts.html
# Needs to be modified for your enviornment
####################################################################
 
computerid=`/usr/sbin/scutil --get LocalHostName`
 
# Standard parameters
domain="domain.school.edu"			# fully qualified DNS name of Active Directory Domain
udn="username"			# username of a privileged network user
password="password"					# password of a privileged network user
ou="CN=Computers,DC=domain,DC=school,DC=edu"		# Distinguished name of container for the computer
 
# Advanced options
alldomains="enable"			# 'enable' or 'disable' automatic multi-domain authentication
localhome="enable"			# 'enable' or 'disable' force home directory to local drive
protocol="smb"				# 'afp' or 'smb' change how home is mounted from server
mobile="enable"			# 'enable' or 'disable' mobile account support for offline logon
mobileconfirm="disable"		# 'enable' or 'disable' warn the user that a mobile acct will be created
useuncpath="disable"			# 'enable' or 'disable' use AD SMBHome attribute to determine the home dir
user_shell="/bin/bash"		# e.g., /bin/bash or "none"
preferred="-nopreferred"	# Use the specified server for all Directory lookups and authentication
							# (e.g. "-nopreferred" or "-preferred ad.server.edu")
admingroups="YOURDOMAIN\domain admins"	# These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\mac admins")
 
# Login hook setting -- specify the path to a login hook that you want to run instead of this script
 
### End of configuration
 
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
sleep 5
 
# Bind to AD
dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"
 
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]; then
	dsconfigad -nogroups
else
	dsconfigad -groups "$admingroups"
fi
 
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
	-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
	-shell $user_shell $preferred
 
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService
 
# Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
	csp="/Active Directory/All Domains"
else
	csp="/Active Directory/$domain"
fi
 
#dscl /Search -create / SearchPolicy CSPSearchPath
#dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
#dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
#dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
 
# This works in a pinch if the above code does not
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 3
 
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist

Find more like this: AD Integration, Automation, Directory Services, Mac, Scripting , , , , , ,


20 Responses to Bind to AD using Apple Remote Desktop

  • jason says:

    Hey Patrick

    Thanks for the very helpful script. But could you tell me the steps on how exactly I would run this through ARD? I tried running this through ARD and it gives me error “Unable to obtain rights to change Directory Services”.
    Thanks.

  • Patrick says:

    You need to run as root in the “Send unix command” window.

  • jason says:

    ok thanks that seemed to have worked. Got a couple more:
    Would you mind telling me what needs to be added to this script so that I could randomly rename the computers and force logouts after the binding.

    I see that you mentioned about loginhooks. Are loginhooks for running scripts also copied to multiple computers through ARD? What other ways are there to run scripts for a bunch of computers over the network?

  • Patrick says:

    You want to make sure each machine has a unique name before binding so you don’t end up with duplicate computer records in AD. It’s usually safe to use the MAC address of the NIC as whole or part of the name. Something like:

    nicAddress=`ifconfig en0 | grep ether | awk ‘{print $2}’`
    uniqueName=”Mac-$nicAddress”

    Just make sure whatever you do comes out to 16 characters or less because of the NetBIOS limit in Windows.

    This script was based on Bombich’s script which was used as a login hook, the details of that are http://www.bombich.com/mactips/scripts.html and http://www.bombich.com/mactips/loginhooks.html. The idea was that you would make it a loginhook on a new image, then the loginhook would delete itself after binding. If you are binding existing machines, you don’t want to use a loginhook.

    ARD is probably the best way to run scripts over a bunch of machines, but other options would be other DMS like LANDesk, LANRev or Casper. But even though I use LANDesk, I would still use ARD for this because I want to be able to see if something went wrong at a glance like ARD shows. LANDesk would just report a success (exit 0) or failure (any exit code non-zero).

  • jason says:

    Few words….well put patrick! that means a lot and clears up so many things for me, being new to macs (this is our first year with macs).
    And yes unfortunately this whole deal struck to me only after all the 500+ machines were imaged and it would be a real pain to re-image of all them again!
    I have heard about the LANDesk option elsewhere but I will definitely look into the LANRev & Casper options. And please do care to comment in future if you come across similar better/new tools. Anything that eases the management/setup of machines/policies in a mixed platform.

  • jason says:

    hey patrick
    got one more for you today. I was trying out the script again and was trying to get the OD server entry also to show up in Search Policies (below the AD entry) in Directory Utility “Authentication” tab and added this to the script

    #dscl /Search -append / CSPSearchPath “/LDAPv3/127.0.0.1”

    and also:

    defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Node Custom Path Array” -array “/LDAPv3/127.0.0.1”

    Now I am not sure but would these entries not work?

  • Patrick says:

    /LDAPv3/127.0.0.1 is only a valid address “from” your OD servers. You need to specify it as /LDAPv3/servername.domain.com

  • Jason says:

    Yes sorry /LDAPv3/myodserver.com is what I used. I just typed in the wrong thing here. I just needed to confirm that it was the right code to add in the script for getting the LDAP entry in the search policy. It wasn’t working for some reason….Any other lines that I need to add for binding the clients to OD successfully, along with binding to AD? Thanks.

  • Patrick says:

    Here’s what I use:

    dsconfigldap -v -a server.school.edu -n server.school.edu
    dscl /Search -create / SearchPolicy CSPSearchPath
    dscl /Search -append / CSPSearchPath /LDAPv3/server.school.edu
    killall DirectoryService

  • Jason says:

    alright i will try that out. thanks.

  • Joshua See says:

    OOC, why the last plutli line to convert the prefs file back to XML? I though OS X was agnostic as to binary vs XML properties lists, and that defaults would honor their current state. Does binding involve an exception to the rule?

  • Patrick says:

    @Joshua. This script originated from the 10.3 or 10.4 days when it was necessary. And as I mentioned, this script is based on Mike Bombichs script from years ago. If the plutil command never stopped working, I never bothered changing it. Perhaps the plutil command is still needed in 10.4? If so, I would leave it as is unless all your machines are > 10.5.

  • Peter paul says:

    Could you please repost the script with nicAddress=`ifconfig en0 | grep ether | awk ‘{print $2}’`
    uniqueName=”Mac-$nicAddress”

    added?

    Thanks,

  • Dorian Marinov says:

    Can’t seem to download the script, and copy pasting causes alot of errors for some reason, can you re-upload please?

    Thanks 🙂

  • Patrick says:

    @Dorian

    Sorry about that. Try again.

  • Francisco Gomez says:

    How can I modify this script to unbind the computer(s)?

  • Francisco Gomez says:

    Solved my own question,thanks.

  • Patrick says:

    @Francisco

    That’s a 1 line command:

    dsconfigad -r -u ad_admin -p password

  • Shawn says:

    OkI don’t know if this is possible or not, but can you set this script to ask for the computer name. In my network we use really long computer names with ard but these names have to be cut down to join ad. Basically what I’m saying is my ard and ad computer names are different. It would help if it would ask me for input.

  • Mike says:

    Really silly question, but how do you package the script listed above to be able to send unix command in ARD? is it really as simple as saving the text file as my_script.sh?

Leave a Reply

Your email address will not be published. Required fields are marked *