Help

Active Directory Distinguished Name Extension Attribute

cmudgeUWF
New Contributor III

Posted on ‎07-10-2019 07:15 AM

I had a script working to gather a machine's DN for building Smart Groups that was fine until Mojave dropped:

#!/bin/bash

compName=$(/usr/sbin/scutil --get ComputerName)

domain="DOMAIN"
offthegrid="Not on the Domain"
ou=$(dscl "/Active Directory/$domain/All Domains" read /Computers/${compName}$ distinguishedName | tail -1 | xargs) 

if [[ $ou = "Data source (/Active Directory/DOMAIN/All Domains) is not valid." ]];
    then
        echo "<result>$offthegrid</result>"
else
    echo "<result>$ou</result>"
fi

So far, I'm not sure what changed in Mojave with this attribute. Has anyone encountered this?

Labels:
0 Kudos
Reply
3 REPLIES 3

mm2270
Legendary Contributor III

Posted on ‎07-10-2019 07:37 AM

What happens if you run the script locally on a Mojave Mac joined to the domain? What result does it return, if any? I no longer have a system joined to AD on hand, so I can't test it myself.

0 Kudos
Reply

myronjoffe
Contributor III

Posted on ‎07-10-2019 09:26 AM

Have you tried using an extension attribute with LDAP attribute mapping: distinguishedName instead?

0 Kudos
Reply

ryan_ball
Valued Contributor

Posted on ‎07-10-2019 10:26 AM

I wrote this a while back and posted it here for somebody:

#!/bin/bash
# If full domain is contoso.com, you need to capture the CONTOSO only part, but you can get this from the Keychain
DomainName=$(/usr/bin/security dump-keychain -d /Library/Keychains/System.keychain | grep "/Active Directory" | tail -n 1 | sed -n -e 's/^.*Directory///p' | tr -d '"')
CompName=$(/usr/sbin/dsconfigad -show | awk '/Computer Account/{print $NF}')

dn=$(/usr/bin/dscl "/Active Directory/$DomainName/All Domains" read /Computers/"$CompName" dsAttrTypeNative:distinguishedName | cut -f2- -d ' ')
echo "<result>$dn</result>"
exit 0
0 Kudos
Reply