Skip to main content
Question

Script to change AD Seach policy on a AD bound machine

  • September 16, 2015
  • 6 replies
  • 43 views
R
Forum|alt.badge.img+13

Hi All,

While I am getting up to speed on bash scripting I am in a bit of a bind (pun intended). I have about 300 machines deployed in labs. I have learned (long story, not relevant) that I need to change my Search policy in Directory Utility from /Active Directory/COLLEGES/All Domains to a specific (explicit) domain in this case it would show up like this in the Directory as /Active Directory/COLLEGES/colleges.ad.unm.edu And, if possible change the Contacts attribute to the same explicit domain as well. I have googled and found this: http://krypted.com/mac-os-x/mac-os-x-changing-to-a-custom-search-path-with-dscl/ but I am not sure this is what I actually need and if it is, I cannot seem to get the syntax right. This objective here is to be able to push this as a policy in Casper in the form of a bash script. I must also admit that this go WAY deeper into the weeds in AD than I usually get. Ideas? I really do not want to go out and touch 300 Macs....

    6 replies

    H
    Forum|alt.badge.img+16
    • hkabik
    • Honored Contributor
    • September 17, 2015
    #!/bin/sh

dscl /Search -delete / CSPSearchPath "/Active Directory/COLLEGES/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/COLLEGES/colleges.ad.unm.edu"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/COLLEGES/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/COLLEGES/colleges.ad.unm.edu"
      R
      Forum|alt.badge.img+13
      • Randydid
      • Author
      • Contributor
      • September 17, 2015

      Thanks hkabik

      Testing now. Will let you know. That appears way more simple that I was thinking it was going to be.

      /randy

      R
      Forum|alt.badge.img+13
      • Randydid
      • Author
      • Contributor
      • September 17, 2015

      @hkabik

      Seems to work provided the student Lab techs have unchecked the "Allow authentication from any domain in the correct" box. They are supposed to, but the script errors out if it is not enabled. I have a Dashboard item to track ones that failed. When I get the time, I will figure out the switch to disable that authentication parameter.

      JAMF NATION forums rock!

      Consider this solved.

      /randy

      H
      Forum|alt.badge.img+16
      • hkabik
      • Honored Contributor
      • September 17, 2015

      The switch you are looking for:

      dsconfigad -alldomains disable
        R
        Forum|alt.badge.img+13
        • Randydid
        • Author
        • Contributor
        • September 17, 2015

        @hkabik Sweet! I slipped that into my script.

        Thanks for the help! If you are going to JNUC2015, I will buy you a beverage of your choice!

        /randy

        S
        Forum|alt.badge.img+1
        • siepmann
        • New Contributor
        • July 30, 2018

        I am attempting to use this same script for our school, but I am running into permission errors. Were you able to get it to successfully run in Jamf?

        Terms & ConditionsCookie settingsAccessibility statement