Posted on 11-13-2017 10:05 AM
Hi everyone!
We'd like to start joining our Macs to AD during the initial Recon process. First time setup. Do away with the manual process using Directory Utility. I was wondering what the best way to do this is? I've read so many posts on this, I'm not sure what the best practice for this should be for setup without breaking something in the JSS. All we'd like to do is Recon the Mac (on it's first time, first seen basis) and have it also joined to AD all in one shot. Possible?
Posted on 11-13-2017 11:03 AM
Could have a policy, set to run on the Enrollment trigger, scoped to a smart group of computers not bound to AD (probably need an Extension Attribute for that) that would run a bind for you...
Posted on 11-13-2017 11:25 AM
Thanks @RobertHammen! Yeah, i saw/was thinking about that one too. Enrollment is the first time, yes? Separate from Check In and Update? So the existing machines that are already in the JSS and already have an AD bind will not be affected? Sorry if I'm not being clear.
Posted on 11-13-2017 11:27 AM
It won't happen during a Recon, which is just an event that gathers inventory information. It would happen as part of a policy that happens during an Enrollment action to achieve what you want. That policy could simply include an AD bind action or run a script that performs the bind if you have other logic you want to include.
If you want to catch them all, you will create a smart group of systems not bound to AD and then scope the policy to that group. You could have multiple angles on this.
Posted on 11-13-2017 11:27 AM
Yes, enrollment is the first time and this wouldn't touch existing Macs.
Again, I'd consider an Extension Attribute/Smart Group for AD binding status. That way, you could push out a bind via policy if you needed to...
Posted on 11-13-2017 11:34 AM
Quick and Dirty Extension Attribute to return the result of which domain the Mac is bound to...
#!/bin/bash
ADdomain=`dsconfigad -show | awk '/Active Directory Domain/{print $NF}'`
echo "</result>$ADdomain</result>"
Posted on 11-13-2017 11:47 AM
Thanks @alexjdale! I think I understand what/where you're going with this. @RobertHammen How would I set this up as a Smart Group then? Operator and Value?
Posted on 06-26-2019 05:47 AM
I am able to join AD through policy but challenge is, how to configure site wise "COMPUTER OU" if we have multiple sites.