Jamf Nation Community

Bernard_Huang · ‎08-31-2017

Hi all,

I've googled this a bit couldn't find what I specifically need.

I want to run a script on every Macbook to see if each Macbook has been AD joined to the correct AD server. Via GUI, I'm referring to System Preferences > Users & Groups > Login Options > Network Account Server.

I found something called dsconfigldap , but when checking it's available function, it is only for adding or removing from server. It doesn't have an option to check for its status of its value (what it's point to)

Anyone got ideas? Thanks in advance.

Chris · ‎09-01-2017

dsconfigad -show | awk '/Active Directory Domain/{print $NF}'

is that what you're looking for?

View solution in original post

Chris · ‎09-01-2017

dsconfigad -show | awk '/Active Directory Domain/{print $NF}'

is that what you're looking for?

cddwyer · ‎09-01-2017

Hi Bernard,

You can achieve this with the following Extension Attribute script:

#!/bin/bash

#ping the Domain or DC
ping -c 3 -o <DC FQDN OR DOMAIN> 1> /dev/null 2> /dev/null

# If the ping was successful
if [[ $? == 0 ]]; then
    # Check the domain returned with dsconfigad
    domain=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
    # If the domain is correct
    if [[ "$domain" == "<ACTIVE DIRECTORY DOMAIN HERE>" ]]; then
        # Check the id of a user
        id -u <DOMAIN USER ACCOUNT NAME>
        # If the check was successful...
        if [[ $? == 0 ]]; then
            echo "<result>Bound Correctly</result>"
        else
            # If the check failed
            echo "<result>Cannot communicate with AD</result>"
        fi
    else
        # If the domain returned did not match our expectations
        echo "<result>Incomplete bind</result>"
    fi
elif [[ $bftr == "Bound Correctly" ]]; then
    # We can't see the DCs, so no way to properly check
else
echo "<result>Not in range of a DC</result>"
fi

exit 0

Substituting correct values for <...>

This will try and ping either one of your DC's or the domain (which will ping the primary DC) if successful it will check the domain name the machine is bound to against what you specify as the correct domain and will also try and query the user object and if communicating with your AD correctly will return the groups the user object is a member of.

dsavageED · ‎09-01-2017

The command you are looking for is dsconfigad, rather than the ldap option. at its most basic "dsconfigad -show" will dump out the status of the AD plug-in. However to check the binding is actually working the easiest option is to run "id USERNAME" where USERNAME is a domain user without a local presence on the Mac.

fuzzylogiq · ‎09-01-2017

Worth noting that if you just want to see which domain a computer is bound to, if at all, the JSS already uses dsconfigad every recon to populate this in the Operating System section of the Inventory tab in a computer record. You can use the Active Directory Status as a criterion in a Smart Group/Advanced Search.

Bernard_Huang · ‎09-03-2017

All great answers, but since @Chris got in first, I'll give him the tick :)

Thanks a lot. It's working now. I've created the extension attribute.

monogrant · ‎05-09-2018

I'm curious if anyone is using odutil

odutil show nodenames

Seems to work for me. Not sure if this is a new utility, but it seems to be inline with the green/red dots in System Preferences > Users and Groups.

jcox_winsor_edu · ‎12-05-2018

@cddwyer I took your script there and extended it a bit because this AD binding bug is really ^&*%^( annoying. I have the script running on every check-in on computers that do not have Mobile Accounts enabled.

Here's my code: https://github.com/mstrperson/AppleADBindWorkAround

I Added an automatic rebind using an AD service account and email notifications using postfix!

Jamf Nation Community

Command line to check for AD bind