Unbind from AD via script

jwojda
Valued Contributor II

As part of DEP, it autogenerates a binded computer name based off serial numbers. I need to unbind the machine and take out the computer record and then rebind it. The I see a lot of information on the force unbind with garbage username and passwords, but if I supply a real account instead of the garbage account, will it remove the extra cruft?

12 REPLIES 12

shaunpbrowne
New Contributor

Yes it will but then you have the problem of how to get the password in without it being visible in the script. I have been working on this today and used the following to encrypt it https://github.com/jamfit/Encrypted-Script-Parameters
. The problem I am now having is that after unbinding I want to rename the machine and then bind again but it seems to always bind with the old name.

No longer having the above problem thanks to this post https://www.jamf.com/jamf-nation/discussions/13965/ad-directory-binding-computer-name

jwojda
Valued Contributor II

This looks promising. Thanks for the script!

As for the renaming - do you set the name in the 3 different locations - HostName, LocalHostName, and ComputerName prior to rebinding it?

jwojda
Valued Contributor II

can you provide more information on how to run the script by chance?

shaunpbrowne
New Contributor

So I simply use the "sudo jamf setComputerName -useSerialNumber" to do the rename, I have seen the 3 locations you mention and checked that they are all the same after using the above jamf command.

=== Script Begin===

#!/bin/sh


function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}

echo "Attempting unbind..."
sudo dsconfigad -remove -u $4 -p $(DecryptString $5 5f481fb12c9bv191 48cdd84b5dc45a9702652c89a)

id -u $4

if [[ $? == 0 ]]; then
    echo "Unbind Failed!"
    exit 1
else
else
    echo "Unbind Successful!"
    # Rename the machine
    sudo jamf setComputerName -useSerialNumber

    # This should allow enough time for the existing computer account to disappear from AD
    sleep 20

    # Rebind the machine
    sudo jamf policy -trigger bind

    exit 0
fi

=== Script End===

I use TextMate to run the script initially: simply run GenerateEncryptedString yourpassword and it will provide an "Encrypted String", the "Salt" and "Passphrase". Keep these strings handy.

In the script above you have to include the DecryptString function and send it the "Encrypted String" as a parameter ($5 in this case) and then the "Salt" and "Passphrase" are hardcoded straight in. I use $4 for the username.

jwojda
Valued Contributor II

the GenerateEncryptedString just exits with no prompt or anything, just returns a prompt...

shaunpbrowne
New Contributor

are you running with quotes? For example GenerateEncryptedString "MyPassword"

shaunpbrowne
New Contributor

you might want to try this download instead, I think I may have linked to a slightly different version when googling! https://github.com/brysontyrrell/EncryptedStrings

jwojda
Valued Contributor II

$ ./GenerateEncryptedString.sh "mypassword"
$

$ GenerateEncryptedString "mypassword"
-bash: GenerateEncryptedString: command not found

shaunpbrowne
New Contributor

Ah I see whats happening. The GenerateEncryptedString is a function inside the script so you have to call it from within the script itself. Edit the script and add to the bottom following command: GenerateEncryptedString "MyPassword"

You should just need to call the script without adding the password on the end: $ ./GenerateEncryptedString.sh

jwojda
Valued Contributor II

that worked, thank you!

shaunpbrowne
New Contributor

Great stuff! If you see in the original script I posted above I only include the function DecryptString in the final script as that is all that's needed. Good luck!

Rememberfarley
New Contributor III

Has anyone found out how to get the user cert without being bound? We are talking about going away from binding and going to local accounts.