I know this is an old thread, but I saw that behavior on machines that were upgraded to 10.10.x. Computers with fresh installs of 10.10.x would stay bound, but any machine upgraded from a previous OS would keep unbinding itself.

I haven't seen this happen now that we are upgrading machines to 10.11.x

@bentoms @jhalvorson I know this is old but ever since we moved to 8021x authentication, this problem has been becoming more popular on our El Capitan machines. I was wondering if the command to disable the password change interval ( dsconfigad -passinterval X) needs to be run prior to or after the domain binding. @jhalvorson , the Apple article you mentioned instructs you to do it prior to binding but @bentoms said it works after binding.

Thanks

As best I can tell, when the computer is not bound, there aren't any configs to adjust.
When you attempt to set it on a computer that is is not bound, the response is:

dsconfigad: No operation specified nor update requested

I have been issuing the command after the computer has been bound to AD. Then the command will result in:

Settings changed successfully.

You can see the status of the dsconfigad by using the

dsconfigad -show

command. Here's an example:

Active Directory Forest = mydomain.org Active Directory Domain = mysomething.mydomain.org Computer Account = ComputerID$ Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Disabled Network protocol to be used = smb Default user Shell = /bin/bash Advanced Options - Mappings Mapping UID to attribute = not set Mapping user GID to attribute = not set Mapping group GID to attribute = not set Generate Kerberos authority = Enabled Advanced Options - Administrative Preferred Domain controller = not set Allowed admin groups = not set Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 30 Restrict Dynamic DNS updates = not set Namespace mode = domain

I was working on a script to unbind and rebind a mac to our domain. When I run dsconfigad -show on some existing computers that are already bound to AD, some computers have Packet signing and Packet encryption as "allow" and some have it as "disable." Now Im not sure which option to use in the script. I'm not exactly sure what these settings do.

Also when I add groups to Allowed Admin groups in the script, I try to add 3 groups as admingroups="domain admins, enterprise admins, tier2-support" as the variable and use /usr/sbin/dsconfigad -groups $admingroups as the command. It doesnt seem to like the space in the group name because it ends up adding just "domain" in the Admin groups. Do I need another set of parentheses or brackets?

Thanks

This issue has plagued us for years and still does on 10.13.5 Thanks for these helpful scripts. Hopefully, they will work as a band-aid.

We are experiencing this EXACT thing in 2022. Have you found a solution to this (7 years after posting....?)

Hey Adam, looks like I found you on this ancient thread! We are still suffering this issue worse than ever. Did you find a solution or move to Jamf Connect? What's interesting is that our machines are becoming "unbound" they seem to be still bound, but unable to communicate with the domain controller. Still scratching our heads and Apple has no idea.

It still happens periodically, but it's not at epidemic proportions so we just live with it. What Mac OS are you on? We are on 12.5.1 for our entire fleet. I have a theory that it may have to do with a loss of internet blip at the wrong time. Also, we learned the hard way that AD truncates computer names after a certain number of characters (I don't remember how many). So if you have a naming scheme like Building36-Lab3-Computer-1 it will truncate and when you add Building36-Lab3-Computer-2 it will overwrite the AD record for Building36-Lab3-Computer-1 (which was probably stored as Building36-Lab3-Com) and break the AD connection for the first machine. 

We tried JAMF connect, but we are a Google school and JAMF connect does not react well to password changes when using Google as the auth source so that was a deal breaker for us. 

That's interesting about the network blip that could be causing that. We manually rebound a bunch of laptops before deployment and found that after they were shut down for an hour and started up again, they weren't communicating with AD again. We use an AD name that is less than 15 characters so we don't run into the truncated name scenario. We are really feeling the pain with the AD stuff now because we rely on it for authenticated printing, lightspeed and getting wifi access of course. 

That is not great to hear about Jamf Connect, because Google would be the next logical step for authentication since we use it for almost everything else here at school.