Help

Active Directory Connect/Disconnect

jbanks
New Contributor III

Posted on ‎08-31-2018 12:21 PM

I've been fighting AD for a while here and hope someone might be able to provide a bit of assistance. As I have dug through all of the documentation on here about AD binding, I have changed my scripting multiple times to try to enhance the connection as well as stability. But I keep running into machines that show they are connected to AD, but will not authenticate to AD. My solution so far has been to unbind from AD, rebind to AD, reboot, and everything works. But this seems to be crazy!

After running dsconfigad -show and seeing the "Password change interval = 14" setting, I wonder, if this was changed to 0, would that keep the password from changing and keep my AD settings? I have read through what has been posted, and I just want to verify this before I push it out!

Thanks!

Josh

0 Kudos
3 REPLIES 3

patgmac
Contributor III

Posted on ‎08-31-2018 01:15 PM

The password change internal is for the machine password in AD. With it set to 14 (which is default), the Mac will initiate a machine password change around that time, if it's unable to do so in time, the bind breaks. Changing to 0 just get around that issue. Note however, it has to be set at the time of binding. So you would have to unbind, set the pass interval, then bind again.

Have you considered not binding, and instead using NoMAD or Enterprise Connect to sync a local account with your AD passwords? All the cool kids are moving away from binding lately. There's not much to be gained from binding.

0 Kudos

jbanks
New Contributor III

Posted on ‎09-04-2018 12:12 PM

Honestly, we have just finished our 2nd year of using AD everywhere, and have been using a script to do all of the binding/unbinding....

As a relative new MacSysAdmin, I'm up to trying anything I can to keep from having to unbind/bind all of the time...it gets very annoying and we don't have the issue on the PCs on campus.

Looking at NoMAD, is the software free and you just pay for support? My JAMF bill is going to more than double as we are looking to use it for all Macs on campus now and not just the labs like in the past. If its something I can figure out how to use from the documentation (and begging for assistance on here!), I'm more than happy to try that out!

As an aside, I'm downloading NoMAD right now, and hopefully by the time JNUC comes around, I'll have my solution in place!

Thanks for the heads up!

Josh

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎09-04-2018 12:33 PM

NoMAD is basically free if you choose to implement it yourself and not have active support. You don't have to buy the support. It's optional for large installs that might need help from the developers.
The good news is they have a good list of documented plist settings that you can play with to get things just the way you want them. Once you have fully tested it and know how it all works, all those settings can be placed into a custom payloads Configuration Profile and deployed to Macs along with NoMAD.

There are a couple of things I wish I could customize about NoMAD that you can't currently do, but it's generally very configurable.

0 Kudos