As part of DEP, it autogenerates a binded computer name based off serial numbers. I need to unbind the machine and take out the computer record and then rebind it. The I see a lot of information on the force unbind with garbage username and passwords, but if I supply a real account instead of the garbage account, will it remove the extra cruft?
Question
Unbind from AD via script
+23
+4Yes it will but then you have the problem of how to get the password in without it being visible in the script. I have been working on this today and used the following to encrypt it https://github.com/jamfit/Encrypted-Script-Parameters
. The problem I am now having is that after unbinding I want to rename the machine and then bind again but it seems to always bind with the old name.
No longer having the above problem thanks to this post https://www.jamf.com/jamf-nation/discussions/13965/ad-directory-binding-computer-name
+23This looks promising. Thanks for the script!
As for the renaming - do you set the name in the 3 different locations - HostName, LocalHostName, and ComputerName prior to rebinding it?
+23can you provide more information on how to run the script by chance?
+4So I simply use the "sudo jamf setComputerName -useSerialNumber" to do the rename, I have seen the 3 locations you mention and checked that they are all the same after using the above jamf command.
=== Script Begin===
1#!/bin/sh234function DecryptString() {5 echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"6}78echo "Attempting unbind..."9sudo dsconfigad -remove -u $4 -p $(DecryptString $5 5f481fb12c9bv191 48cdd84b5dc45a9702652c89a)1011id -u $41213if [[ $? == 0 ]]; then14 echo "Unbind Failed!"15 exit 116else17else18 echo "Unbind Successful!"19 # Rename the machine20 sudo jamf setComputerName -useSerialNumber2122 # This should allow enough time for the existing computer account to disappear from AD23 sleep 202425 # Rebind the machine26 sudo jamf policy -trigger bind2728 exit 029fi=== Script End===
I use TextMate to run the script initially: simply run GenerateEncryptedString yourpassword and it will provide an "Encrypted String", the "Salt" and "Passphrase". Keep these strings handy.
In the script above you have to include the DecryptString function and send it the "Encrypted String" as a parameter ($5 in this case) and then the "Salt" and "Passphrase" are hardcoded straight in. I use $4 for the username.
+23the GenerateEncryptedString just exits with no prompt or anything, just returns a prompt...
+4you might want to try this download instead, I think I may have linked to a slightly different version when googling! https://github.com/brysontyrrell/EncryptedStrings
+23$ ./GenerateEncryptedString.sh "mypassword"
$
$ GenerateEncryptedString "mypassword"
-bash: GenerateEncryptedString: command not found
+4Ah I see whats happening. The GenerateEncryptedString is a function inside the script so you have to call it from within the script itself. Edit the script and add to the bottom following command: GenerateEncryptedString "MyPassword"
You should just need to call the script without adding the password on the end: $ ./GenerateEncryptedString.sh
+23that worked, thank you!
+4Great stuff! If you see in the original script I posted above I only include the function DecryptString in the final script as that is all that's needed. Good luck!
+2Has anyone found out how to get the user cert without being bound? We are talking about going away from binding and going to local accounts.
Reply
Most helpful members this week
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.