Help

Script Noob here--Need help on a Script (AD related)

Go to solution
osxadmin
Contributor II

Posted on β€Ž02-28-2017 09:48 AM

At work I have a script to bind machines during enrollment.
is there a way to check to see if its bound to AD to skip the bind script and continue with enrollment?

thank you.

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
mike_pinto
New Contributor III

Posted on β€Ž02-28-2017 10:20 AM

Maybe something like this? @mm2270 had posted this here

You'd just have to modify it to fit your needs.

if ping -c 2 -o dc.domain.comp.org; then
    if [[ $(dsconfigad -show | awk '/Active Directory Domain/{ print $NF }') == "domain" ]]; then
        ADCompName=$(dsconfigad -show | awk '/Computer Account/{ print $NF }')
        security find-generic-password -l "/Active Directory/domain" | grep "Active Directory"
            if [ "$?" == "0" ]; then
                dscl "/Active Directory/domain/" read /Computers/"$ADCompName" | grep -i "$ADCompName"
                if [ "$?" == "0" ]; then
                    echo "Already bound"
                else
                    bind
                fi
            else
                bind
            fi
    else
        bind
    fi
else
    echo "Not on the network"
fi

View solution in original post

0 Kudos

Go to solution
gmarnin
New Contributor III

Posted on β€Ž03-01-2017 06:08 AM

No need to ping the dc

# Check if the Mac is bound to AD
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`

if [ "${check4AD}" != "Active Directory" ]; then
    echo "Not bound "
fi
if [ "${check4AD}" = "Active Directory" ]; then
    echo "This Mac is already bound to Active Directory."; exit 1
fi

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
mike_pinto
New Contributor III

Posted on β€Ž02-28-2017 10:20 AM

Maybe something like this? @mm2270 had posted this here

You'd just have to modify it to fit your needs.

if ping -c 2 -o dc.domain.comp.org; then
    if [[ $(dsconfigad -show | awk '/Active Directory Domain/{ print $NF }') == "domain" ]]; then
        ADCompName=$(dsconfigad -show | awk '/Computer Account/{ print $NF }')
        security find-generic-password -l "/Active Directory/domain" | grep "Active Directory"
            if [ "$?" == "0" ]; then
                dscl "/Active Directory/domain/" read /Computers/"$ADCompName" | grep -i "$ADCompName"
                if [ "$?" == "0" ]; then
                    echo "Already bound"
                else
                    bind
                fi
            else
                bind
            fi
    else
        bind
    fi
else
    echo "Not on the network"
fi
0 Kudos

Go to solution
osxadmin
Contributor II

Posted on β€Ž02-28-2017 10:23 AM

@mike.pinto Thank you!

0 Kudos

Go to solution
khey
Contributor

Posted on β€Ž02-28-2017 09:57 PM

@osxadmin I would make bind to AD as part of my imaging and to run the policy at the enrollment stage. I would then create a smart group with Active Directory Status is not bound. Target the bind policy to that smart group. You can also use network segment to exclude computers that are not on the network.

0 Kudos

Go to solution
gmarnin
New Contributor III

Posted on β€Ž03-01-2017 06:08 AM

No need to ping the dc

# Check if the Mac is bound to AD
check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`

if [ "${check4AD}" != "Active Directory" ]; then
    echo "Not bound "
fi
if [ "${check4AD}" = "Active Directory" ]; then
    echo "This Mac is already bound to Active Directory."; exit 1
fi
0 Kudos

Go to solution
osxadmin
Contributor II

Posted on β€Ž03-01-2017 06:37 AM

@gmarnin perfect, thanks!

0 Kudos

Go to solution
swhps
Contributor III

Posted on β€Ž03-01-2017 08:11 AM

Will this also work for Macs that were bound, then wiped but not removed from AD, and then bound again while prompted to use an existing account?

0 Kudos