Posted on 02-28-2017 09:48 AM
At work I have a script to bind machines during enrollment.
is there a way to check to see if its bound to AD to skip the bind script and continue with enrollment?
thank you.
Solved! Go to Solution.
Posted on 02-28-2017 10:20 AM
Maybe something like this? @mm2270 had posted this here
You'd just have to modify it to fit your needs.
if ping -c 2 -o dc.domain.comp.org; then
if [[ $(dsconfigad -show | awk '/Active Directory Domain/{ print $NF }') == "domain" ]]; then
ADCompName=$(dsconfigad -show | awk '/Computer Account/{ print $NF }')
security find-generic-password -l "/Active Directory/domain" | grep "Active Directory"
if [ "$?" == "0" ]; then
dscl "/Active Directory/domain/" read /Computers/"$ADCompName" | grep -i "$ADCompName"
if [ "$?" == "0" ]; then
echo "Already bound"
else
bind
fi
else
bind
fi
else
bind
fi
else
echo "Not on the network"
fi
Posted on 03-01-2017 06:08 AM
No need to ping the dc
# Check if the Mac is bound to AD
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
if [ "${check4AD}" != "Active Directory" ]; then
echo "Not bound "
fi
if [ "${check4AD}" = "Active Directory" ]; then
echo "This Mac is already bound to Active Directory."; exit 1
fi
Posted on 02-28-2017 10:20 AM
Maybe something like this? @mm2270 had posted this here
You'd just have to modify it to fit your needs.
if ping -c 2 -o dc.domain.comp.org; then
if [[ $(dsconfigad -show | awk '/Active Directory Domain/{ print $NF }') == "domain" ]]; then
ADCompName=$(dsconfigad -show | awk '/Computer Account/{ print $NF }')
security find-generic-password -l "/Active Directory/domain" | grep "Active Directory"
if [ "$?" == "0" ]; then
dscl "/Active Directory/domain/" read /Computers/"$ADCompName" | grep -i "$ADCompName"
if [ "$?" == "0" ]; then
echo "Already bound"
else
bind
fi
else
bind
fi
else
bind
fi
else
echo "Not on the network"
fi
Posted on 02-28-2017 10:23 AM
@mike.pinto Thank you!
Posted on 02-28-2017 09:57 PM
@osxadmin I would make bind to AD as part of my imaging and to run the policy at the enrollment stage. I would then create a smart group with Active Directory Status is not bound. Target the bind policy to that smart group. You can also use network segment to exclude computers that are not on the network.
Posted on 03-01-2017 06:08 AM
No need to ping the dc
# Check if the Mac is bound to AD
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
if [ "${check4AD}" != "Active Directory" ]; then
echo "Not bound "
fi
if [ "${check4AD}" = "Active Directory" ]; then
echo "This Mac is already bound to Active Directory."; exit 1
fi
Posted on 03-01-2017 06:37 AM
@gmarnin perfect, thanks!
Posted on 03-01-2017 08:11 AM
Will this also work for Macs that were bound, then wiped but not removed from AD, and then bound again while prompted to use an existing account?