Hi @osxadmin, I've run into the exact kind of issue that you are describing and this is what I did.
I created 2 extension attributes to check the AD status of a machine.
The first one checks if the machine is bound to AD but doesn't query AD for verification.
#!/bin/sh
ADDomainCheck=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
if [ "$ADDomainCheck" = "" ]; then
result="Not Bound to Active Directory"
elif [ "$ADDomainCheck" != "" ]; then
result=$ADDomainCheck
fi
echo "<result>$result</result>"
The second one checks if the machine is connected to AD by reading its own AD object.
#!/bin/bash
dscacheutil -flushcache
sleep 5
ShortDomainName=$(dscl /Active Directory/ -read . | grep SubNodes | sed 's|SubNodes: ||g')
computer=$(dsconfigad -show | grep "Computer Account" | awk '{ print $4 }')
dscl /Active Directory/$ShortDomainName/All Domains -read /Computers/$computer RecordName &>/dev/null
if [ ! $? == 0 ] ; then
echo "<result>No connection to the domain</result>"
exit 1
else
echo "<result>Connected to $ShortDomainName</result>"
fi
exit 0
If a Mac still believes it is connected but isn't communicating with AD then the first extension attribute will return the domain name and the second will say "No connection to the domain".
Using these two extension attributes I can tell if a Mac is truly connected and communicating with AD.
If a machine has lost that trust then I have a policy that I run on it to Rebind. The policy is in 4 parts.
First, a simple time sync with Apple's server.
#!/bin/bash
ntpdate -u time.apple.com
Second, I force the machine to drop the binding. Just as an FYI, the user account and password don't matter in this script.
#!/bin/bash
dsconfigad -force -remove -u johndoe -p nopasswordhere
exit 0
Third, I run a Directory Binding policy.
Lastly, I update my inventory.
Also, I didn't come up with the code for any of this and I cannot remember where I got it from but all credit to their creators.