Skip to main content

I've been working on a script that validates if a Mac's binding to AD is still active or not. This is an issue that seems to be caused when the computer is off the corporate network at the time of kerberos key cycling, typically set to 14 days (see dsconfigad -show; setting it to 0 will stop this cycling, which I am currently testing to see if it stops bindings from breaking).

This has been working fairly well, except for that we are getting some false failure reports when using the id command.

Has anyone had to do this and found a more consistent way to see if a device binding is working or broken using the id, dscl or other commands?

#!/bin/sh

adserver="directory.contoso.com"
testuser="_MacComputer"
pass="AD Binding OK"
fail="AD Binding Failed"
offline="Not in range of DC"
notbound="The Mac is not bound to contoso.com"

# Check if we can ping the AD Domain Controller, if ping was successful check if we can query a UPN

# If the ping was successful check if we can we query a UPN?
if ping -c 3 $adserver &> /dev/null; then
    # Check the domain returned with dsconfigad
    domain=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
    # If the domain is correct
    if [[ "$domain" == "contoso.com" ]]; then
        # Check for the id of a user
        if id -u $testuser &> /dev/null; then
        # If the check was successful...
            echo "<result>$pass</result>"
        else
            # If the check failed
            echo "<result>$fail</result>"
        fi
    else
        # If the domain returned did not match our expectations
        echo "<result>$notbound</result>"
    fi
else
    # We can't see the DCs, so no way to properly check
    echo "<result>$offline</result>"
fi

Original source: https://www.jamf.com/jamf-nation/discussions/7039/how-to-check-if-a-computer-is-actually-bound-to-the-ad

https://www.jamf.com/jamf-nation/discussions/12776/apple-macs-losing-ad-binding#responseChild74510

The above thread has a post to @mm2270 with a great script to validate AD binding.

Thanks @thoule - it looks like that's a slightly messier (more nested if's) version of the same thing, but uses the dscl binary instead of the id binary and breaks the <result> tag out into a single run. I wonder if they are also seeing false positives, but I will try a version that uses a single <result> call.

dscl hasn't been playing nice with me, but I'll keep poking.

In case anyone stumbles on this, I was able to get some assistance back in October that has been running fairly well since then. There are still some false positives, but this appears to be due to the directory services hanging and are usually resolved by a restart. Thanks to @doggles for the assist on this one.

#!/bin/bash

SECURE_LDAP=TRUE
log="/private/tmp/$(date "+%F__%H-%M-%S")-adcheck.log"
domain="contoso.com"
dc="adserver.$domain"
ldap_user="_testaccount"
pass="AD Binding OK"
fail="AD Binding Failed"
offline="Not in range of DC"
notbound="The Mac is not bound to contoso.com"

if $SECURE_LDAP
then port=636
else port=389
fi

main()
{

if nc -z $dc $port; then
    if [[ $domain = $(dsconfigad -show | awk 'NR==2{print $5}') ]]; then
        if id -u $ldap_user; then
            result=$pass
        else
            result=$fail
        fi
    else
        result=$notbound
    fi
else
    result=$offline
fi

echo "<result>$result</result>"
}

main 2>&1 | tee -a $log

We have a few different domains(4 to be exact) and wanted to see if anyone has run into where people switch different domains in AD. Example : User goes from the US to Europe, the mac would bind to the European Domain upon arrival.

Terms & ConditionsCookie settingsAccessibility statement