Jamf Nation Community

quite possibly...I think the system may have been renamed prior to the unbind. I wonder if thats the case? additionally, does it matter who unbinds it, the credentials shouldnt make a difference?

Thank you

The creds would only make a difference if trying to do a clean unbind - one that also removes the AD computer object. In that case the account used would need proper privileges in AD to remove computer objects.
If doing a force unbind, as long as you have admin rights it won't matter since all that really does is blow away the local plist files and other stuff that tells the Mac its bound to a directory service.

thanks for the info.
so would changing the computer name before unbinding mess with that unbinding process in directory utility, we're trying to avoid force unbinding if at all possible.

Changing the computer name from say, System Preferences > Sharing, should not have any effect on the AD bind. The computer name it was bound with is stored in the above referenced plist file, which you can read with dsconfigad -show or see the values for in Directory Utility. Technically AD doesn't care what the name of the Mac is as long as the name you bind it with is unique within AD and its less than 15 characters in length. If you bind a Mac with the same name as another one in AD it will ask you if you want to overwrite the existing record.
However, I think in most environments, as a good sanity practice, its best to keep the local computer name and the name its bound to AD with the same.
But again, renaming it before an unbind really shouldn't then require a force unbind to my knowledge. Its possible I'm wrong on that, but I don't think that's an issue.

I feel the same just not sure why it doesnt allow a regular unbind from DU.
Not sure how to determine if it has fallen out of the domain trust, is there a way to determine that by chance?

thanks for the time and knowledge

Yes, from Directory Utility. In the main toolbar of the app, click on Directory Editor and where you see a pop up menu called "in node" change it to your Active Directory domain. So it should show something like "/Active Directory/DOMAIN/All Domains" When you select that, and the Mac is on a network that can reach your domain controllers, it should populate a list of Users or Computers or something in the panel on the left. If it generates an error, then its not communicating with AD.

There are also scripted ways to do it, again, as long as the Mac is connected to a network that should be able to communicate with your AD.
For example:

dscl "/Active Directory/DOMAIN/All Domains" read /Computers/$(dsconfigad -show | awk '/Computer Account/{print $NF}')

The above (once you replace DOMAIN with your actual domain name) should return the computer's own record from AD using the name it was joined to AD with.

You can also do something like id to look up a user that is in AD:

id somename

Has anyone found out how to get the user cert without being bound? We are talking about going away from binding and going to local accounts.

@Rememberfarley

This is the doc that got us started... we had a few issues but just guessed our way through ....

https://support.apple.com/en-us/HT204602

C