unbind to AD but AD account still able to login afterwards ??

tcandela
Valued Contributor II

I am using that 'unbindAD.sh' script provided on JAMFnation script sections. The policy trigger is set at 'STARTUP' and script priority 'AFTER'

script is simply:

echo "Unbinding the computer from Active Directory..."
/usr/sbin/dsconfigad -r -u "$username" -p "$password"

echo "Restarting Directory Services..."
/usr/bin/killall DirectoryService

is there a script somewhere to delete the 'domain account' after the unbind so users that are cached cannot login ?

1 ACCEPTED SOLUTION

tcandela
Valued Contributor II

I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts

Deleting cached domain accounts (this means local accounts will remain untouched)

for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr ' ' ' '; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done

Deleting the Shared files

rm -rdfv /Users/Shared/
rm -rdfv /Users/Shared/.

I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???

Set the login window to name and password

defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

exit $?

View solution in original post

4 REPLIES 4

tcandela
Valued Contributor II

I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts

Deleting cached domain accounts (this means local accounts will remain untouched)

for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr ' ' ' '; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done

Deleting the Shared files

rm -rdfv /Users/Shared/
rm -rdfv /Users/Shared/.

I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???

Set the login window to name and password

defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

exit $?

mm2270
Legendary Contributor III

Haha. I love how Markdown totally messes up scripts that aren't encased in the script tags here. I would encourage everyone to highlight the whole script after pasting it in, and click that script button in the post toolbar to avoid making their scripts look like a blog entry.

tcandela
Valued Contributor II

@mm2270 - would you happen to know why the

defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

does not go into effect until after someone logs in once and logs off?

I check system preferences and it is set at user list, but i have to log off to actually start getting the user list.

jjones
Contributor II

@tcandela, the reason why certain defaults do not take place is they are dynamically loaded in memory. If they are changed outside the users interaction by command, they will not take affect until the system is rebooted/relogged.