AD Application Password lost on Upgrade
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on
11-28-2018
10:52 AM
- last edited on
03-04-2025
07:37 AM
by
kh-richa_mig
I have recently been testing High Sierra upgrades on some of our old OSx devices and have run into an issue that others have apparently seen in the past.
https://www.jamf.com/jamf-nation/discussions/14864/lost-connection-to-active-directory
Our systems are AD bound and if I check in the keychain prior to the upgrade, they are bound perfectly fine.
After the upgrade, the application password for our AD server disappears from the keychain and then I have to unbind / rebind the system to get it to login again.
The question is - I have seen a couple people posting "Extension Attributes" with scripts to rebind - does anyone have a script that we could put on the Macs to automatically do this without having a Jamf environment? And I'll apologize in advance if it's taboo to ask on this forum how to do something without Jamf, but it's not something that we currently have as our fleet isn't overly large and we currently have another product for management.
Thank you in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-28-2018 11:24 AM
Hi there. Most any of the scripts that you found on other threads can be easily modified to just return a Yes/No type result and then take action on that result. What you'll want to do then is package up the script and a LaunchDaemon that runs the script on some kind of schedule, so it will run it periodically on the Mac all by itself and take the necessary action, if needed. Be cautious though to make sure the script is first checking to make sure whatever domain you're trying to join to is available before trying to rejoin, since it will naturally fail if the domain isn't available at that time.
Once you have something working, use whatever management tool you have to push this package install to your Macs. Once the LaunchDaemon is active, it should do what it needs. I'm simplifying this a bit as you can imagine, but you'll get the idea.
One other caution I just thought of. Not sure what you're using for management, but hopefully it allows for a binding config of some sort that won't contain credentials in clear text. Otherwise if using something like dsconfigad in a script, it would need to have service account credentials that have binding privileges right in it. As you can imagine, that's a security risk, so I really wouldn't do that.
