Jamf Nation Community

@rstansifer I've NEVER to create the Mac's Computer Object manually, it's always been done on AD bind.

This has been the case for atleast 8 years.

I've used either OSX's built in "Directory Utilty" or the JSS's Directory Bindings.

If you goto jss management then click on directory bindings. Here is where you set you domain bindings.
You then add that binding into your image

In order for the computer account to be created by JSS Directory Binding, you need to use a Network Admin Account that has the correct privileges to create computer account in the Computer OU you've defined.

I don't know the AD side of setting privileges, but I crafted the request to the AD admins and they made it work for a specific Network Admin Account that was setup for this process.

It may take some testing, but it should work.

Yeah this is a policy set in AD itself. When our company merged with the other their AD domain had its policy set to only allow binding to pre-existing computers while ours could create it in the defaults Computers OU.

At times we have contemplated actually enforcing the need to pre-create it so the computer object gets put in the correct OU (we have OUs specific to hundreds of offices and concert venues) because sometimes techs don't move the computer object out of Computers and to the appropriate location so it gets messy. Pre-creating makes sure they create it in the right location first.

@chriscollins Not sure how it is setup to do this, but our AD automatically moves computers around based on the machine name.
Obviously this requires a fairly rigidly enforced naming convention to be successful... Just saying it is possible to have it all automatically.
It did require scripting renaming the machines from a database of serial numbers and names.

Yeah we have thought about that before but the problem is that in one city we may have 3 offices, two venues, etc, and for various reasons those have to be split up in their own OUs so we have a TON globally so trying to condense that down into abbreviated names becomes a mess so we have to use letter codes for the major cities they are in or near. Still ends up requiring human intervention.

At the moment, we're still experimenting with JSS to see if it'll work for us. There's a lot up in the air and the amount of approvals we have to go through is staggering.

@bentoms How did you manage to do an Active Directory entry creation in Directory Utility?

Thankfully, our Mac naming scheme is very rigid, with a two letter department name, the Mac OS version and then a four digit number (i.e. FN-OSX10-8039).

It might be a bigger issue that I don't have direct access to the Active Directory configuration systems and that's not likely to change any time soon. So I need to do everything on the client side. (Although we have our own single OU dedicated to this particular team)

This might help!!!

http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf

The naming scheme is going to make it very hard, you are going to have add some scripting if you want zero touch.

C