@May have a look at the Encrypted Strings script that @brysontyrrell worked on:

https://github.com/brysontyrrell/EncryptedStrings

The Encrypted Strings script look nice. I like it.

I've been storing a less-well encrypted copy of an admin password locally in a file readable only by root, placing that file on all managed machines, and reading/decrypting the password from that file with a call from any script I use that needs it. So no JSS counterpart, but the credentials are stored locally and are somewhat protected.

Thanks @stevewood

that's a step in the right direction, although as stated here
the password could be retrieved by someone who has access to the JSS and Script, i'm pretty sure our security team wouldn't go for it.

I do like @stutz suggestion to hide the password in the script parameter, that would be a useful feature.

You can force remove the bind without using valid credentials.

https://derflounder.wordpress.com/2013/10/09/force-unbinding-with-dsconfigad-without-using-an-active-directory-admin-account/

We spent quite a bit of time working out how to protect sensitive information like usernames and passwords in scripts. If the file has to stay on the client device, it's not really possible. They either have the password, or a hashed version of the password (which isn't really changing anything).

Using Casper, you can put the script in the JSS and restrict what JSS user accounts can see it. Thats about as good as we've got it.

The other alternative is to not delete the computer object but just do a force unbind, which will stop the computer object in AD from being updated every 14 days, and have AD delete any records that haven't been updated for X amount of time.

A simular process would be to do the force unbind but get the process to report back the computer name to a text file (or add a flag) somewhere on the network. If the users cant add to this file you can run a server side script to delete the computer accounts. If the users can write to it then maybe delete them only if they have not logged on for a certain length of time.

Regards
Graeme

If you don't like the idea of a file share, you could:

In unbind script, add a flag to a plist
EA to read plist
Allow read access to the database from your AD server
Granting Read-Only Access to the JAMF Software Server MySQL Database
AD server reads the database and (as @Graeme suggested) runs the remove script to tidy up based upon the EA.

If you use this, you may also want to add a timer/counter to self remove the flag to prevent constant reporting.

Looks like it comes down to either storing the password on the JSS and restricting the access to view it or to not save the password and force unbind the machine which will leave the computer object in AD, and then manually/automatically tidying that up, i like the idea logging the computer name to a file so the tidy up can be simpler.

thanks all for your advice!
time to do some testing..

I just put in a Feature Request for a policy to unbind a machine from Active Directory using the credentials stored with the Directory Bindings.

@jonnydford : The trick with passing wrong credentials only worked for certain versions of OS X, I don't recall which ones.

@mschroder I just tested the command now, can confirm it works in 10.11.6

dsconfigad -force -remove -u johndoe -p nopasswordhere