Script to change AD Seach policy on a AD bound machine

Randydid
Contributor II

Hi All,

While I am getting up to speed on bash scripting I am in a bit of a bind (pun intended). I have about 300 machines deployed in labs. I have learned (long story, not relevant) that I need to change my Search policy in Directory Utility from /Active Directory/COLLEGES/All Domains to a specific (explicit) domain in this case it would show up like this in the Directory as /Active Directory/COLLEGES/colleges.ad.unm.edu And, if possible change the Contacts attribute to the same explicit domain as well. I have googled and found this: http://krypted.com/mac-os-x/mac-os-x-changing-to-a-custom-search-path-with-dscl/ but I am not sure this is what I actually need and if it is, I cannot seem to get the syntax right. This objective here is to be able to push this as a policy in Casper in the form of a bash script. I must also admit that this go WAY deeper into the weeds in AD than I usually get. Ideas? I really do not want to go out and touch 300 Macs....

6 REPLIES 6

hkabik
Valued Contributor
#!/bin/sh

dscl /Search -delete / CSPSearchPath "/Active Directory/COLLEGES/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/COLLEGES/colleges.ad.unm.edu"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/COLLEGES/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/COLLEGES/colleges.ad.unm.edu"

Randydid
Contributor II

Thanks hkabik

Testing now. Will let you know. That appears way more simple that I was thinking it was going to be.

/randy

Randydid
Contributor II

@hkabik

Seems to work provided the student Lab techs have unchecked the "Allow authentication from any domain in the correct" box. They are supposed to, but the script errors out if it is not enabled. I have a Dashboard item to track ones that failed. When I get the time, I will figure out the switch to disable that authentication parameter.

JAMF NATION forums rock!

Consider this solved.

/randy

hkabik
Valued Contributor

The switch you are looking for:

dsconfigad -alldomains disable

Randydid
Contributor II

@hkabik Sweet! I slipped that into my script.

Thanks for the help! If you are going to JNUC2015, I will buy you a beverage of your choice!

/randy

siepmannm
New Contributor

I am attempting to use this same script for our school, but I am running into permission errors. Were you able to get it to successfully run in Jamf?