Binding and Unbinding to Active Directory from Mac OS via Command Line

macs-on-active-directory.md

Binding and Unbinding to Active Directory from Mac OS via Command Line

• Open the Terminal Application
• Type in sudo -i and type in your Mac Administrator account password. sudo gives you root level or administrator level privileges.

To View current Active Directory Settings

dsconfigad -show

To Unbind a Computer from an Active Directory Domain

dsconfigad -remove -username <username> -password <password> [-localuser <localadmin> -localpassword <localpass>]

Note: <username> needs to be replaced with domain administrator who has binding/unbinding rights.

---

To Bind a Mac Laptop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -add <domain> -computer <computer-name> -username <username> -password <password> -ou "CN=Computers,DC=network,DC=example,DC=com" [-force] [-localuser <localadmin> -localpassword <localpass>] -mobile enable -mobileconfirm enable -localhome enable -useuncpath enable -protocol smb -groups "Domain Admins,Enterprise Admins" -alldomains enable -packetsign require -packetencrypt require

---

To Bind a Mac Desktop Computer to an Active Directory Domain

<computer-name> --> replace this with the computer name you want to bind to Active Directory
<username> --> needs to be replaced with domain administrator who has binding/unbinding rights.
<domain> --> replace with domain you want to join.

dsconfigad -add <domain> -computer <computer-name> -username <username> -password <password> -ou "CN=Computers,DC=network,DC=example,DC=com" [-force] [-localuser <localadmin> -localpassword <localpass>] -localhome enable -useuncpath enable -protocol smb -groups "Domain Admins,Enterprise Admins" -alldomains enable -packetsign require -packetencrypt require

Is there special syntax associated with the -u and -p for unbinding? I don't want to force unbind leaving cruft in AD. I keep getting "Invalid Credentials supplied to remove the bound server" I've tried:

For -u
ou\admin-account
ou\admin-account
admin-account

For -p
pa$$w0rd^
pa$$w0rd^

NOTE - these are random credentials but I am structuring them here to be very similar, including the $ in the password.

I believe bash is messing with my credentials...If I echo the password with the "" in front of the $ signs, it echos properly. If I echo ou\admin-account with the additional , it echoes properly.

Help please :D

Has anyone ever found a cause for "Node name wasn't found. (2000)" besides time difference or DNS?

I ran "net time" on our AD controller and it matches the time on my MacBook nearly to the second. It's using our network's DHCP for DNS settings.

I haven't been able to find any other reasons for this error when searching online. I had no problems binding it to the domain manually through System Preferences.

UPDATE:
Turned out to be a switch that wasn't working after all. When configuring MacBooks at work, we're supposed to check the box, "Prefer this domain server:", and then enter our organization's domain. I tried automating this by adding the -preferred switch followed by our domain, but apparently that breaks dsconfigad.

I don't see < username > after "dsconfigad -f -r -u".

@jszabo98 - in your macOS Terminal, run the following help command, that will show what options you have available to you.

dsconfigad -h

I'm pointing out a typo in this document. Oh it's fixed.