Renaming a Mac already bound to AD?

jhuls
Contributor III

Is it possible to rename a Mac while it's already bound to AD?

We have a particular naming scheme we follow and have been told it needs to change. All of our Macs are in AD so it would be nice if we could rename them without the steps to unbind, rename, and then rebind.

17 REPLIES 17

perrycj
Contributor III

Do you mean just make sure it has the proper the hostname, computer name, etc? You can use scutil for that. Here is an example of how we add a prefix, or make sure a mac has the proper prefix based on location:

#!/bin/sh

prefix="NYC"
serial=`system_profiler SPHardwareDataType | awk '/Serial Number/ { print $4 }'`

scutil --set ComputerName "${prefix}${serial}"
scutil --set HostName "${prefix}${serial}"
scutil --set LocalHostName "${prefix}${serial}"

jamf recon

That usually does the trick for us and has worked well. Hopefully it helps you out.

jhuls
Contributor III

Thanks and sorry, I should have explained better...

I've actually seen here on jamfnation those very lines. What I wasn't clear on was to whether it was safe to rename a Mac while it's bound to AD and whether the name being changed while being bound would be reflected in AD.

I was planning to test this myself but I thought I would throw the question out there to see if anyone might have tried this and ran into any problems already.

pblake
Contributor III

The process above by @perrycj will just rename in on the MAC OS level. To change it in AD and MAC OS the following script will work.

This script is used to change the computer name, hostname, computer name is the JSS, and in Active Directory. You do need Cocoa Dialog installed in the path below.

Enter in Computer Name to Rename With

ComputerName=$(/Applications/Utilities/CocoaDialog.app/Contents/MacOS/CocoaDialog inputbox --title "Rename Computer" --informative-text "Enter Computer Name" --button1 "Rename" --button2 "Cancel")
result=$(echo $ComputerName | sed -e 's/1 //g')

if [ $result == 2 ]
then

exit 0

else

#Change computer name, local hostname, and hostname with user provided input. /usr/sbin/scutil --set ComputerName "$result" /usr/sbin/scutil --set HostName "$result" /usr/sbin/scutil --set LocalHostName "$result"

#Run an inventory update to reflect name change in the JSS. /usr/local/jamf/bin/jamf recon

#Force unbind to Active Directory /usr/sbin/dsconfigad -force -remove -u noaccountneeded -p nopasswordneeded

#Rebind to Active Directory assuming you have a directory binding in your JSS /usr/local/jamf/bin/jamf policy -event rebind

fi

exit 0

perrycj
Contributor III

@jhuls Oh ok gotcha. Yea I thought you just meant changing the computer name on the Macs themselves.

In order for the object name to reflect the change, then yes you would have to unbind and rebind. Otherwise, AD thinks the current binding object name is still valid and will keep it in the AD back end.

donmontalvo
Esteemed Contributor III

We had an issue where a lot of Macs were bound to AD with a name that didn't match the ComputerName. We were looking at correcting the issue, but after we pulled a report and saw how many computers were effected, we backed out.

We still get asked to produce reports, so created an EA to flag Match or Mismatch. I guess at some point this might be brought back to the front burner.

In case this is helpful...

#!/bin/sh
COMPUTERNAME="`scutil --get ComputerName`"
ADNAME="`dsconfigad -show | grep "Computer Account" | awk '{print $4}' | cut -d '$' -f 1`"
if [ $COMPUTERNAME == $ADNAME ]; then
    echo "<result>Match</result>"
else
    echo "<result>Mismatch</result>"
fi

PS, forgot if we stole pieces of this from @mm2270 , or @stevewood, or someone else...LOL

HTH
Don

--
https://donmontalvo.com

franton
Valued Contributor III

The safest process is to unbind, rename the computer then rebind. That keeps everything nice and consistent. The AD object name does not update when the computer name changes.

jjones
Contributor II

Keep in mind one tidbit of removing from AD with a bogus user/pass. It does not properly remove the computer from the AD list, possibly giving you two of the same machine, with each name before and after change.

donmontalvo
Esteemed Contributor III

@franton wrote:

The safest process is to unbind, rename the computer then rebind. That keeps everything nice and consistent. The AD object name does not update when the computer name changes.

I agree, and in large environments where waterfall reports are used to reconcile things, having AD and JSS report different Computer Names for the same computer is not good.

@jjones wrote:

Keep in mind one tidbit of removing from AD with a bogus user/pass. It does not properly remove the computer from the AD list, possibly giving you two of the same machine, with each name before and after change.

We got scolded for forcing a computer to unbind from AD, since we tried to do the right thing and called in to get the object removed from AD. Since we haven't been able to "rejoin existing object" using JSS.

Don

--
https://donmontalvo.com

jhuls
Contributor III

Thanks everybody...it's a bit disappointing to need to remove it from AD before renaming and then rebinding since if memory serves correctly, I could rename a Windows systems already joined to the domain. I guess that's what scripting is for but when we're dealing with systems in different OU's it adds to the overhead of doing what should seem like a simple job. The life of a Mac admin...sigh.

franton
Valued Contributor III

Taken me long enough but finally found what I wrote to do all this!

#!/bin/bash

CD="/private/tmp/CocoaDialog.app/Contents/MacOS/CocoaDialog"

# Dialog to enter the computer name and the create $COMPUTERNAME variable
rv=($($CD standard-inputbox --title "Computer Name" --no-newline --informative-text "Enter the new name of the computer."))
COMPUTERNAME=${rv[1]}

# Dialog to show a please wait box while we work ...
rm -f /private/tmp/hpipe
mkfifo /private/tmp/hpipe

$CD progressbar --indeterminate --title "Renaming Computer" --width 250 --height 80 < /tmp/hpipe &

exec 3<> /tmp/hpipe
echo -n . >&3

# Unbind from AD here
dsconfigad -force -remove -username *replace* -password *replace*

# Set Hostname using variable created above
scutil --set HostName $COMPUTERNAME
scutil --set LocalHostName $COMPUTERNAME
scutil --set ComputerName $COMPUTERNAME

# Rebind to AD here
jamf bind -type ad 
     -domain ?.? 
     -username *replace* 
     -password *replace* 
     -ou "OU=Mac,OU=?,OU=?,OU=?,DC=*replace*,DC=*replace*" 
     -cache 
     -localHomes 
     -useUNCPath 
     -mountStyle SMB 
     -defaultShell /bin/bash 
     -adminGroups "domain admins,enterprise admins,domaingroup"

# All done, clean up after ourselves.

exec 3>&-
wait
rm -f /private/tmp/hpipe

# Dialog to confirm that the hostname was changed and what it was changed to.
tb=`$CD ok-msgbox --text "Computer Name Changed!" 
--informative-text "The computer name has been changed to $COMPUTERNAME" 
--no-newline --float`
if [ "$tb" == "1" ]; then
echo "Computer name changed"
elif [ "$tb" == "2" ]; then
echo "Canceling"
fi

# All done!

exit 0

Please note that you have to program in the OU details directly into the script. You will want to modify this to suit your own AD environment.

betty02
New Contributor II

It's rare for us here to have the wrong name, mainly if we do a HDD swap or something along those lines, so we just run the following commands through terminal -

sudo scutil --set ComputerName "newname" sudo scutil --set LocalHostName "newname" sudo scutil --set HostName "newname"

kevin_v
Contributor

@franton Since CocoaDialogue is depracated, is there another way now?

bcbackes
Contributor III

Have any of you ran into 802.1x issues or issues with machine certs on the devices you have renamed? I found a couple test devices I renamed (before I found this post) still had a computer cert in the Keychain that had the old computer name. I ran into some issues with the machine authenticating to 802.1x with that cert.

Just wondering if anyone else ran into that issue or not. Thanks!

mwhite33
New Contributor

@kevin.v I ended up switching from CocoaDialogue to Pashua since a 64bit version of CocoaDialogue to support macOS Catalina has not been released.

https://www.bluem.net/en/projects/pashua/

Not perfect and does not support progress bars but great for receiving input from end user with text field, drop down, radio button, etc. as well as displaying information.

mwhite33
New Contributor

@bcbackes I have found you would have to get the certificate re-issued since the request was made with the previous name, certificate will not be removed but a new one needs to be requested/installed. The configuration profile that installed the AD certificate would need to be removed to delete the old cert or manually delete from the keychain.

bcbackes
Contributor III

@donmontalvo I'm using your EA you have posted above to find mixmatch computer names. However, I found some devices are showing mixmatch even though they are spelled exactly the same. It appears it's case sensitive. The computer is all uppercase and AD has them as lowercase. Is there a way to modify the EA so it's not reporting back based on case sensitivity?

Thanks!

rblair
New Contributor

@bcbackes You can convert your computer name to lowercase when you pull it:

COMPUTERNAME="`scutil --get ComputerName | awk '{print tolower($0)}'`"