+12Hi all
I'd like to find a way to unbind a machine from Active Directory and have the computer object removed, i know that i can use dsconfigad -force -remove -u username -p password but i don't want to store the password in the script or a policy's parameter.
Is there any way to use the JSS Directory Bindings that we use to bind a machine to also unbind the machine and remove the computer object ? or is anyone using a different approach to automatically remove machines from AD ?
Best answer by stevewood
@May have a look at the Encrypted Strings script that @brysontyrrell worked on:
+5The Encrypted Strings script look nice. I like it.
I've been storing a less-well encrypted copy of an admin password locally in a file readable only by root, placing that file on all managed machines, and reading/decrypting the password from that file with a call from any script I use that needs it. So no JSS counterpart, but the credentials are stored locally and are somewhat protected.
+12Thanks @stevewood
that's a step in the right direction, although as stated here
the password could be retrieved by someone who has access to the JSS and Script, i'm pretty sure our security team wouldn't go for it.
I do like @stutz suggestion to hide the password in the script parameter, that would be a useful feature.
+7You can force remove the bind without using valid credentials.
https://derflounder.wordpress.com/2013/10/09/force-unbinding-with-dsconfigad-without-using-an-active-directory-admin-account/
+18We spent quite a bit of time working out how to protect sensitive information like usernames and passwords in scripts. If the file has to stay on the client device, it's not really possible. They either have the password, or a hashed version of the password (which isn't really changing anything).
Using Casper, you can put the script in the JSS and restrict what JSS user accounts can see it. Thats about as good as we've got it.
The other alternative is to not delete the computer object but just do a force unbind, which will stop the computer object in AD from being updated every 14 days, and have AD delete any records that haven't been updated for X amount of time.
+7A simular process would be to do the force unbind but get the process to report back the computer name to a text file (or add a flag) somewhere on the network. If the users cant add to this file you can run a server side script to delete the computer accounts. If the users can write to it then maybe delete them only if they have not logged on for a certain length of time.
Regards
Graeme
+12If you don't like the idea of a file share, you could:
In unbind script, add a flag to a plist
EA to read plist
Allow read access to the database from your AD server
Granting Read-Only Access to the JAMF Software Server MySQL Database
AD server reads the database and (as @Graeme suggested) runs the remove script to tidy up based upon the EA.
If you use this, you may also want to add a timer/counter to self remove the flag to prevent constant reporting.
+12Looks like it comes down to either storing the password on the JSS and restricting the access to view it or to not save the password and force unbind the machine which will leave the computer object in AD, and then manually/automatically tidying that up, i like the idea logging the computer name to a file so the tidy up can be simpler.
thanks all for your advice!
time to do some testing..
+12I just put in a Feature Request for a policy to unbind a machine from Active Directory using the credentials stored with the Directory Bindings.
+12@jonnydford : The trick with passing wrong credentials only worked for certain versions of OS X, I don't recall which ones.
+7@mschroder I just tested the command now, can confirm it works in 10.11.6
dsconfigad -force -remove -u johndoe -p nopasswordhereEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.
