cr4sh0ver wrote:
We just want to make this work and keep it as long as possible since it will require for us to make local users instead of authenticating with AD. Password consistency since most of our users manage Microsoft and Apple devices (500+) and multiple passwords and password management is not their forte.
The Script implemented by the previous SysAdmin is the same one (no changes made) that "luke_reager" posted here: link
For reference here is all of it: (not sure if anything will get cut due to being the full script)
#!/bin/bash
clear
# FYI, the END) and END has to be the first thing on the line, no tabs or spaces before it.
# if not running from the jss, make this sudo=sudo, otherwise leave it sudo=
sudo=sudo
oldCompNames="ComputerName: $(scutil --get ComputerName)\\n"
oldCompNames=$oldCompNames"HostName: $(scutil --get HostName)\\n"
oldCompNames=$oldCompNames"LocalHostName: $(scutil --get LocalHostName)"
for (( ; ; )) #only using loop to exit early on invalid entries.
do
#APPLESCRIPT TEXT
dialogText="Enter the new Computer Name. \\nOld ones were... \\n$oldCompNames\\n"
printf "$dialogText"
#APPLESCRIPT PROMPT
newCompName=$(/usr/bin/osascript<<END
tell application "System Events"
activate
set the answer to text returned of (display dialog "$dialogText" default answer "" buttons {"Continue"})
end tell
END)
if [ ! "$newCompName" ]; then
#APPLESCRIPT TEXT
dialogText="!!! The new Computer Name is required. Try Again. !!!\\n"
printf "$dialogText"
#APPLESCRIPT PROMPT
/usr/bin/osascript<<END
tell application "System Events"
activate
display dialog "$dialogText" buttons {"Continue"}
end tell
END
else
#do the work if passed all the error checks
#APPLESCRIPT TEXT
dialogText="Thank you. Click continue and wait while I perform the actions...\\n\\n"
printf "$dialogText"
#APPLESCRIPT PROMPT
/usr/bin/osascript<<END
tell application "System Events"
activate
display dialog "$dialogText" buttons {"Continue"}
end tell
END
#rename mac
printf "Setting mac name to $newCompName...\\n"
newCompName="$(echo $newCompName | tr '[a-z]' '[A-Z]')" #making uppercase
$sudo scutil --set ComputerName "$newCompName"
$sudo scutil --set HostName "$newCompName"
$sudo scutil --set LocalHostName "$newCompName"
printf "\\n"
#unbind/rebind AD
printf "Unbinding/Rebinding mac to AD...\\n"
$sudo jamf policy -id 143 # our policy that unbinds and rebinds to AD
# THIS IS THE UNBIND PART OF POLICY 143. THE BIND IS DIRECTLY IN THE POLICY ###########
# #sees if already on domain. prevents error if already off domain.
# isDomain=$(/usr/sbin/dsconfigad -show | grep '= domain'| awk '{print $4}')
# if [ "$isDomain" == "domain" ]; then
# echo "On domain."
# echo "Unbinding the computer from Active Directory..."
# dsconfigad -remove -force -username "$username" -password "$password"
# else
# echo "Not on domain."
# fi
###########################################################################################
#updating jamf
printf "Updating JAMF...\\n"
$sudo jamf recon
printf "\\n"
break #get out of the loop
fi
done
#APPLESCRIPT TEXT
dialogText="Finished. Goodbye.\\n"
printf "$dialogText"
#APPLESCRIPT PROMPT
/usr/bin/osascript<<END
tell application "System Events"
activate
display dialog "$dialogText" buttons {"Continue"}
end tell
END
@cr4sh0ver Have you looked at the policies in your Jamf Pro server to see if you can locate the "143" id policy it's trying to call? You can pull up an existing policy, and copy the full URL you see in the browser, paste that into a new tab and then change the ID shown toward the end of the address like I mentioned and hit Enter. It may load. Perhaps its under a policy name that you aren't expecting.
If it doesn't load, then it was removed from your Jamf server by someone. In that case, you might have to recreate it. Your script has some information about what's happening in that policy in all those commented out lines, so it at least shows you some details of how to rebuild it if that's what you decide to do.
Also, just to mention, in terms of keeping Mac local accounts in sync with AD, I strongly encourage you to look at using the Apple SSO Kerberos plug-in. It can help your Mac users keep their local account and their AD account in password sync, and will alert them to when their password is coming up for expiration, as well as allowing them an easy way to change their AD password and Mac password in one operation directly from the Mac. If you use FileVault encryption it has the added bonus of updating the Mac's FV2 password so that doesn't get out of whack, which is ridiculously easy to do.
You really should check it out. It makes using local only accounts on the Mac in an AD environment significantly easier to deal with. We do this, though we still currently bind to AD, but for a different legacy purpose that I'm hoping we can move away from in the near future.