Script Noob here--Need help on a Script (AD related)

osxadmin
Contributor II

At work I have a script to bind machines during enrollment.
is there a way to check to see if its bound to AD to skip the bind script and continue with enrollment?

thank you.

2 ACCEPTED SOLUTIONS

mike_pinto
New Contributor III

Maybe something like this? @mm2270 had posted this here

You'd just have to modify it to fit your needs.

if ping -c 2 -o dc.domain.comp.org; then
    if [[ $(dsconfigad -show | awk '/Active Directory Domain/{ print $NF }') == "domain" ]]; then
        ADCompName=$(dsconfigad -show | awk '/Computer Account/{ print $NF }')
        security find-generic-password -l "/Active Directory/domain" | grep "Active Directory"
            if [ "$?" == "0" ]; then
                dscl "/Active Directory/domain/" read /Computers/"$ADCompName" | grep -i "$ADCompName"
                if [ "$?" == "0" ]; then
                    echo "Already bound"
                else
                    bind
                fi
            else
                bind
            fi
    else
        bind
    fi
else
    echo "Not on the network"
fi

View solution in original post

gmarnin
New Contributor III

No need to ping the dc

# Check if the Mac is bound to AD
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`

if [ "${check4AD}" != "Active Directory" ]; then
    echo "Not bound "
fi
if [ "${check4AD}" = "Active Directory" ]; then
    echo "This Mac is already bound to Active Directory."; exit 1
fi

View solution in original post

6 REPLIES 6

mike_pinto
New Contributor III

Maybe something like this? @mm2270 had posted this here

You'd just have to modify it to fit your needs.

if ping -c 2 -o dc.domain.comp.org; then
    if [[ $(dsconfigad -show | awk '/Active Directory Domain/{ print $NF }') == "domain" ]]; then
        ADCompName=$(dsconfigad -show | awk '/Computer Account/{ print $NF }')
        security find-generic-password -l "/Active Directory/domain" | grep "Active Directory"
            if [ "$?" == "0" ]; then
                dscl "/Active Directory/domain/" read /Computers/"$ADCompName" | grep -i "$ADCompName"
                if [ "$?" == "0" ]; then
                    echo "Already bound"
                else
                    bind
                fi
            else
                bind
            fi
    else
        bind
    fi
else
    echo "Not on the network"
fi

osxadmin
Contributor II

@mike.pinto Thank you!

khey
Contributor

@osxadmin I would make bind to AD as part of my imaging and to run the policy at the enrollment stage. I would then create a smart group with Active Directory Status is not bound. Target the bind policy to that smart group. You can also use network segment to exclude computers that are not on the network.

gmarnin
New Contributor III

No need to ping the dc

# Check if the Mac is bound to AD
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`

if [ "${check4AD}" != "Active Directory" ]; then
    echo "Not bound "
fi
if [ "${check4AD}" = "Active Directory" ]; then
    echo "This Mac is already bound to Active Directory."; exit 1
fi

osxadmin
Contributor II

@gmarnin perfect, thanks!

swhps
Contributor III

Will this also work for Macs that were bound, then wiped but not removed from AD, and then bound again while prompted to use an existing account?