Help

unbind to AD but AD account still able to login afterwards ??

Go to solution
tcandela
Valued Contributor II

Posted on ‎04-16-2015 11:36 AM

I am using that 'unbindAD.sh' script provided on JAMFnation script sections. The policy trigger is set at 'STARTUP' and script priority 'AFTER'

script is simply:

echo "Unbinding the computer from Active Directory..."
/usr/sbin/dsconfigad -r -u "$username" -p "$password"

echo "Restarting Directory Services..."
/usr/bin/killall DirectoryService

is there a script somewhere to delete the 'domain account' after the unbind so users that are cached cannot login ?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
tcandela
Valued Contributor II

Posted on ‎04-16-2015 11:53 AM

I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts

Deleting cached domain accounts (this means local accounts will remain untouched)

for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr ' ' ' '; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done

Deleting the Shared files

rm -rdfv /Users/Shared/
rm -rdfv /Users/Shared/.

I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???

Set the login window to name and password

defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

exit $?

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
tcandela
Valued Contributor II

Posted on ‎04-16-2015 11:53 AM

I found the following script, and added it into the unbindAD.sh (after the unbinding command) - it works in deleting the cached domain accounts

Deleting cached domain accounts (this means local accounts will remain untouched)

for cuser in dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr ' ' ' '; do
dscl . -delete /Users/$cuser
rm -rdfv /Users/$cuser
done

Deleting the Shared files

rm -rdfv /Users/Shared/
rm -rdfv /Users/Shared/.

I also added line to have the loginwindow to go back to 'user list' but it does not happen on the first login (it is still at name/password screen) if i login, THEN logout, it will now be at the 'user list' window ???

Set the login window to name and password

defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

exit $?

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎04-16-2015 12:03 PM

Haha. I love how Markdown totally messes up scripts that aren't encased in the script tags here. I would encourage everyone to highlight the whole script after pasting it in, and click that script button in the post toolbar to avoid making their scripts look like a blog entry.

0 Kudos

Go to solution
tcandela
Valued Contributor II

Posted on ‎04-16-2015 12:17 PM

@mm2270 - would you happen to know why the

defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool false

does not go into effect until after someone logs in once and logs off?

I check system preferences and it is set at user list, but i have to log off to actually start getting the user list.

0 Kudos

Go to solution
jjones
Contributor II

Posted on ‎04-17-2015 07:45 AM

@tcandela, the reason why certain defaults do not take place is they are dynamically loaded in memory. If they are changed outside the users interaction by command, they will not take affect until the system is rebooted/relogged.

0 Kudos