EA to display LDAP "Computer ID"?

donmontalvo
Esteemed Contributor III

We need to find computers that may have been (improperly) renamed after they were joined to the domain.

Example...

  1. ComputerName host123 is joined to domain.
  2. John Doe decides he likes woohoo123 instead, so he renames the computer
  3. Domain administrators do a WTF?! since host123 is now woohoo123
  4. Mac techs scramble to identify said Macs to plan remediation to rename back to proper ComputerName

We can easily pull ComputerName, LocalHostName, and HostName.

How do we pull the Computer ID used when a Mac is joined to the domain?

TIA
Don

--
https://donmontalvo.com
3 REPLIES 3

mm2270
Legendary Contributor III

Don, I think you may want to use dsconfigad.

dsconfigad -show
Active Directory Forest          = domainforest.company.com
Active Directory Domain          = domain.company.com
Computer Account                 = host123$

Look for "Computer Account", usually around the 3rd line down. I believe that would be the name of the computer as AD sees it, not how the OS sees its own name. It typically shows up with a $ at the end.

dsconfigad -show | awk '/Computer Account/{print $NF}'

That should just spit out the computer account name.

Edit: Also just wanted to say, you might want to also try preventing any renames of computer names in the first place. Lock down the Sharing prefpane for example, or use a Casper policy to rename Macs to what the JSS has stored for its name if locking down Sharing isn't an option and someone does rename their Mac. Just sayin'

donmontalvo
Esteemed Contributor III

@mm2270 Thanks, with a little bit of tinkering we got this to work:

#!/bin/sh

COMPUTER_ID=`dsconfigad -show | awk '/Computer Account/{print $NF}' | sed '$s/.$//'`
COMPUTER_NAME=`scutil --get ComputerName`

if [ "$COMPUTER_ID" != "$COMPUTER_NAME" ]
then
  echo "<result>MISMATCH</result>"
else
  echo "<result>MATCH</result>"
fi

However, if there this EA appears to be case sensitive...so HOST123 and host123 shows as mismatch. Gawd help me Edith!

I'm hoping I'm worrying too much...but does AD care if a Mac is joined to the domain as host123 but later someone changes the ComputerName to HOST123?

Don

--
https://donmontalvo.com

mm2270
Legendary Contributor III

Hey Don,

That's a good question. Truthfully I'm not sure if it cares about the case. Maybe someone else knows and can chime in. Though I think what the network and perhaps AD as well actually sees is a Mac's hostname, not really the Sharing Name.

scutil --get HostName
host123.domain.company.com

scutil --get HostName | cut -d. -f1
host123

I could definitely be wrong about that, and the hostname and Sharing name don't necessarily have to match (even though they should) so it may not get you where you want to be anyhow.

Just a couple of comments on your EA script. I see you're chopping off the last character in the string pulled from dsconfigad. That's cool, but, unless you're 100% certain that every Mac's Computer Account name ends in a $, it might be safer to use a sed command like this instead:

sed ''s/$$//'

That tells it only remove an ending character if its a '$', otherwise ignore it.
You can test the difference between the two by echoing a string through each:

:~ echo "host123" | sed ''s/$$//'
host123

:~ echo "host123" | sed 's/.$//'
host12

I don't know what you're environment is like, but I've seen some cases where Computer Names in AD don't end in a '$' even though they should. So I think specifically telling it to delete the last '$' character is a little safer. Just my 2¢.

Regarding the case insensitive issue, If you want to turn on case insensitive matching, you can temporarily change your shell options with shopt, like this:

#!/bin/sh

COMPUTER_ID=`dsconfigad -show | awk '/Computer Account/{print $NF}' | sed 's/$$//'`
COMPUTER_NAME=`scutil --get ComputerName`

# set the no case match shell option
shopt -s nocasematch

if [[ "$COMPUTER_ID" != "$COMPUTER_NAME" ]]
then
  echo "<result>MISMATCH</result>"
else
  echo "<result>MATCH</result>"
fi

# unset the no case match shell option
shopt -u nocasematch

Note that you seem to have to use double brackets when evaluating the strings in this way. It didn't work with single brackets in my tests.

Hope that helps.