- Jamf Nation Community
- Products
- Jamf Pro
- EA to display LDAP "Computer ID"?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
EA to display LDAP "Computer ID"?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2013 04:34 PM
We need to find computers that may have been (improperly) renamed after they were joined to the domain.
Example...
- ComputerName host123 is joined to domain.
- John Doe decides he likes woohoo123 instead, so he renames the computer
- Domain administrators do a WTF?! since host123 is now woohoo123
- Mac techs scramble to identify said Macs to plan remediation to rename back to proper ComputerName
We can easily pull ComputerName, LocalHostName, and HostName.
How do we pull the Computer ID used when a Mac is joined to the domain?
TIA
Don
--
https://donmontalvo.com
https://donmontalvo.com
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-05-2013 09:04 PM
Don, I think you may want to use dsconfigad.
dsconfigad -showActive Directory Forest = domainforest.company.com
Active Directory Domain = domain.company.com
Computer Account = host123$Look for "Computer Account", usually around the 3rd line down. I believe that would be the name of the computer as AD sees it, not how the OS sees its own name. It typically shows up with a $ at the end.
dsconfigad -show | awk '/Computer Account/{print $NF}'That should just spit out the computer account name.
Edit: Also just wanted to say, you might want to also try preventing any renames of computer names in the first place. Lock down the Sharing prefpane for example, or use a Casper policy to rename Macs to what the JSS has stored for its name if locking down Sharing isn't an option and someone does rename their Mac. Just sayin'
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-06-2013 05:37 PM
@mm2270 Thanks, with a little bit of tinkering we got this to work:
#!/bin/sh
COMPUTER_ID=`dsconfigad -show | awk '/Computer Account/{print $NF}' | sed '$s/.$//'`
COMPUTER_NAME=`scutil --get ComputerName`
if [ "$COMPUTER_ID" != "$COMPUTER_NAME" ]
then
echo "<result>MISMATCH</result>"
else
echo "<result>MATCH</result>"
fiHowever, if there this EA appears to be case sensitive...so HOST123 and host123 shows as mismatch. Gawd help me Edith!
I'm hoping I'm worrying too much...but does AD care if a Mac is joined to the domain as host123 but later someone changes the ComputerName to HOST123?
Don
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-06-2013 09:35 PM
Hey Don,
That's a good question. Truthfully I'm not sure if it cares about the case. Maybe someone else knows and can chime in. Though I think what the network and perhaps AD as well actually sees is a Mac's hostname, not really the Sharing Name.
scutil --get HostName
host123.domain.company.com
scutil --get HostName | cut -d. -f1
host123I could definitely be wrong about that, and the hostname and Sharing name don't necessarily have to match (even though they should) so it may not get you where you want to be anyhow.
Just a couple of comments on your EA script. I see you're chopping off the last character in the string pulled from dsconfigad. That's cool, but, unless you're 100% certain that every Mac's Computer Account name ends in a $, it might be safer to use a sed command like this instead:
sed ''s/$$//'That tells it only remove an ending character if its a '$', otherwise ignore it.
You can test the difference between the two by echoing a string through each:
:~ echo "host123" | sed ''s/$$//'
host123
:~ echo "host123" | sed 's/.$//'
host12I don't know what you're environment is like, but I've seen some cases where Computer Names in AD don't end in a '$' even though they should. So I think specifically telling it to delete the last '$' character is a little safer. Just my 2¢.
Regarding the case insensitive issue, If you want to turn on case insensitive matching, you can temporarily change your shell options with shopt, like this:
#!/bin/sh
COMPUTER_ID=`dsconfigad -show | awk '/Computer Account/{print $NF}' | sed 's/$$//'`
COMPUTER_NAME=`scutil --get ComputerName`
# set the no case match shell option
shopt -s nocasematch
if [[ "$COMPUTER_ID" != "$COMPUTER_NAME" ]]
then
echo "<result>MISMATCH</result>"
else
echo "<result>MATCH</result>"
fi
# unset the no case match shell option
shopt -u nocasematchNote that you seem to have to use double brackets when evaluating the strings in this way. It didn't work with single brackets in my tests.
Hope that helps.
