- Jamf Nation Community
- Products
- Jamf Pro
- Re: unbind to AD but AD account still able to log...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-16-2015 11:36 AM
I am using that 'unbindAD.sh' script provided on JAMFnation script sections. The policy trigger is set at 'STARTUP' and script priority 'AFTER'
script is simply:
echo "Unbinding the computer from Active Directory..."
/usr/sbin/dsconfigad -r -u "$username" -p "$password"
echo "Restarting Directory Services..."
/usr/bin/killall DirectoryService
is there a script somewhere to delete the 'domain account' after the unbind so users that are cached cannot login ?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-16-2015 11:53 AM
I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts
Deleting cached domain accounts (this means local accounts will remain untouched)
for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '
' ' '; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done
Deleting the Shared files
rm -rdfv /Users/Shared/
rm -rdfv /Users/Shared/.
I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???
Set the login window to name and password
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false
exit $?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-16-2015 11:53 AM
I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts
Deleting cached domain accounts (this means local accounts will remain untouched)
for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '
' ' '; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done
Deleting the Shared files
rm -rdfv /Users/Shared/
rm -rdfv /Users/Shared/.
I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???
Set the login window to name and password
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false
exit $?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-16-2015 12:03 PM
Haha. I love how Markdown totally messes up scripts that aren't encased in the script tags here. I would encourage everyone to highlight the whole script after pasting it in, and click that script button in the post toolbar to avoid making their scripts look like a blog entry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-16-2015 12:17 PM
@mm2270 - would you happen to know why the
defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false
does not go into effect until after someone logs in once and logs off?
I check system preferences and it is set at user list, but i have to log off to actually start getting the user list.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-17-2015 07:45 AM
@tcandela, the reason why certain defaults do not take place is they are dynamically loaded in memory. If they are changed outside the users interaction by command, they will not take affect until the system is rebooted/relogged.
