Jamf Nation Community

acdesigntech · ‎04-04-2013

Hey all,

I'm trying to verify if a Mac to be reimaged is already in active directory. We autogenerate a new name for the mac each time it is reimaged, and I don't want it binding to the AD with an old name, so I wanted to check the name against AD before imaging using dscl.

ComputerName=`diskutil list | grep disk0 | grep "2:" | awk '{print $3}'`
## Find if the computer is already in Active Directory. If it is, exit. We need to remove it from AD
IsInAD=$(dscl /Active Directory/All Domains/ -read /Computers/$ComputerName$ | grep UniqueID)

It works great from a mac that is bound to the same directory. I was wondering if there is a way to do this from a Mac that IS NOT bound to the same directory (or any directory, actually). Does anyone have any experience with this?

Andrew

pickerin · ‎04-04-2013

You'd have to allow anonymous queries of your AD, which you probably don't want to do.

Alternatively, you could setup a specific account that has LDAP query rights to your AD, then use that account to perform the query from your OS X system.

Check out ldapsearch with a query something like:

ldapsearch -h your.forest.dom -x -D "ldapqueryuser@your.forest.dom" -w password -b "cn=computers,dc=your,dc=forest,dc=dom" "Hostname=someclient.forest.dom"

View solution in original post

pickerin · ‎04-04-2013

You'd have to allow anonymous queries of your AD, which you probably don't want to do.

Alternatively, you could setup a specific account that has LDAP query rights to your AD, then use that account to perform the query from your OS X system.

Check out ldapsearch with a query something like:

ldapsearch -h your.forest.dom -x -D "ldapqueryuser@your.forest.dom" -w password -b "cn=computers,dc=your,dc=forest,dc=dom" "Hostname=someclient.forest.dom"

acdesigntech · ‎04-27-2013

Thanks Rob! This is working perfectly now!

Jamf Nation Community

OT - verify a record in active directory without being bound to active directory