Skip to main content
Solved

unbind to AD but AD account still able to login afterwards ??

  • April 16, 2015
  • 4 replies
  • 11 views
T
Forum|alt.badge.img+20

I am using that 'unbindAD.sh' script provided on JAMFnation script sections. The policy trigger is set at 'STARTUP' and script priority 'AFTER'

script is simply:

echo "Unbinding the computer from Active Directory..."
/usr/sbin/dsconfigad -r -u "$username" -p "$password"

echo "Restarting Directory Services..."
/usr/bin/killall DirectoryService

is there a script somewhere to delete the 'domain account' after the unbind so users that are cached cannot login ?

Best answer by tcandela

I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts

Deleting cached domain accounts (this means local accounts will remain untouched)

for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr ' ' ' '; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done

Deleting the Shared files

rm -rdfv /Users/Shared/
rm -rdfv /Users/Shared/.

I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???

Set the login window to name and password

defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

exit $?

    4 replies

    T
    Forum|alt.badge.img+20
    • tcandela
    • Author
    • Contributor
    • Answer
    • April 16, 2015

    I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts

    Deleting cached domain accounts (this means local accounts will remain untouched)

    for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr ' ' ' '; do
    dscl . -delete /Users/$cuser
    rm -rdfv /Users/$cuser
    done

    Deleting the Shared files

    rm -rdfv /Users/Shared/
    rm -rdfv /Users/Shared/.

    I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???

    Set the login window to name and password

    defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

    exit $?

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • April 16, 2015

    Haha. I love how Markdown totally messes up scripts that aren't encased in the script tags here. I would encourage everyone to highlight the whole script after pasting it in, and click that script button in the post toolbar to avoid making their scripts look like a blog entry.

    T
    Forum|alt.badge.img+20
    • tcandela
    • Author
    • Contributor
    • April 16, 2015

    @mm2270 - would you happen to know why the

    defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

    does not go into effect until after someone logs in once and logs off?

    I check system preferences and it is set at user list, but i have to log off to actually start getting the user list.

    J
    Forum|alt.badge.img+7
    • jjones11
    • Contributor
    • April 17, 2015

    @tcandela, the reason why certain defaults do not take place is they are dynamically loaded in memory. If they are changed outside the users interaction by command, they will not take affect until the system is rebooted/relogged.

    Terms & ConditionsCookie settingsAccessibility statement