× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

How to use a script to unbind Macs from the domain (Apple plugin) with the Deployment Manager

How to use a script to unbind Macs from the domain (Apple plugin) with the Deployment Manager

By Centrify Contributor II ‎12-22-2016 09:48 PM

For environments that have already integrated the Macs with Active Directory prior to using Centrify, it can become a daunting task to unbind using the Apple Directory Services plugin before the Centrify deployment. This task can become extremely cumbersome if you are trying to manually install Centrify's Mac agent using the disk image installer. Thankfully, I have a solution that may benefit your deployment and possibly cut down on the time it takes to deploy to multiple machines with some tweaks to the Deployment Manager application that Centrify provides with the Server Suite software.

 

First, you will need to log on to the Windows machine that has the Server Suite installed in your domain. Next you will want to download the zip file (unbindApple.zip) that is attached to this blog post ad extract it to a local directory on the Windows machine. For this blog, I will use the C:\Scripts directory. The zip file contains a script named unbindApple.sh that was created by an amazing Centrify employee. 

 

Note 1: Please test this script manually on a domain joined Mac that is not running a Centrify agent before using it on your production Macs. You will need to edit the script with your favorite script editor (Notepad++ works well for Windows machines) before running it for the first time since line 22 needs a domain admin username or the username of someone with permissions to leave the OU/Container that the Mac is currently boud to for successful execution. If you are fluent in Mac scripting, then I greatly encourage you to build your own script.

 

Note 2: For custom scripting needs by a Centrify Professional Services consultant, then please contact your Centrify Sales Representative.

 

Now open the DirectManage Deployment Manager application. Once you get it opened and loaded, right-click on the Centrify DirectManage Deployment Manager node and select "Options".

 

Deployment Manager Options.png

 

Next, select the "Terminal" tab from the Options window and click "Add". Enter a descriptive name for the Termal Application that you are adding and select the Putty executable from the machine's Program Folder directory for the Location. If you installed Putty with the Centrify Server Suite, then it should be located at C:\Program Files\Centrify\DirectManage Deployment Manager\External.

 

Deployment Manager Terminal Application.png

 

Enter the following Arguments for the Terminal Application:

 

-ssh ${ip} -l ${usr} -pw "${pwd}" -t -m "C:\Scripts\unbindApple.sh"

 

Note 1: You may need to retype the quotation (") marks if you copy/paste this command.

 

Note 2: The location of the script is actually in this argument (C:\Scripts\unbindApple.sh), so if you put the script in a different directory, then make sure to enter the right directory location. Also, if you have a script by a different name, then ensure you are typing the correct script name.

 

You can now click "OK" to save and exit the Terminal Application box and click "OK" again to save and close the Options box.

 

To use this script, you will need to add Macs to Deployment Manager as usual by following Step 1, then download the Mac agent and Analysis software in Step 2. Please see our Quick Start Deployment Manager Demo on Youtube if you need help with these two steps.

 

Once you get to Step 3, you can right-click on the Macs that you added in Step 1 and hover your mouse over the word "Remote Session". You should see the name of your Terminal Application. In this example the name is "Unbind Apple". Once you select the remote session, the Deployment Manager will launch a Putty session and run the unbind script.  

 

 Unbind Apple.png 

 

Note: You will need to click the "Yes" button that pops up in Putty if this is your first time connecting to that Mac remotely via ssh from the Windows machine that you are on.

 

You should see the putty terminal session open and prompt you for the local admin credentials for the privileged sudo commands. Next, you will be prompted to enter the domain user's credentials. If the username is incorrect, then make sure you edited the script and entered the correct username in line 22. You should be able to distinguish what account credentials are needed by the prompt because the domain username will be displayed when their credentials are needed. 

 

 Putty script session.png 

 

If both users have the correct permissions (local admin and domain admin), then you should see a successful result.  

 

Sucessful unbind.png

 

If you run into issues unbinding, then your Mac may have fallen off the domain. In this case you have a few options. You can edit the script and add the -force option to leave the domain without contacting active directory or you can remote into the Mac using putty and enter the following command manually:

 

sudo /usr/sbin/dsconfigad -remove -force -username domainadmin

 

Note: Remember to replace domainadmin with the actual domain admin username

 

If you choose to force the removal from the domain, then you will need to manually go into Active Directory Users and Computers and delete the computer object for the machine before deploying the Mac agent and joining the domain with Centrify's Deployment Manager.

 

After you get all of your Macs unbound and removed from the domain you can move on to steps 3 and 4 to Analyze your environment, then deploy and join your Macs to the domain.

Comments
By SylvainCortes
on ‎01-07-2017 06:01 AM

Hi,

 

sorry, but i don't find where to download the script from the post....

Another point: could you provide a similar script to unjoin a AD domain but currently using the Centrify Agent ?

Let's imagine i need to migrate from a AD forest/domain to another AD forest/domain, first i need to unjoin massively the different MacOS from the first domain - could you ?

 

regards

 

sylvain

By Centrify Contributor II
‎01-11-2017 10:10 AM

Hi Sylvain,

 

I am unsure of why the script did not get attached previously, but I just added it back to this blog post. Please let me know if you have any issues.

 

In regards to creating a custom script for unbinding using Centrify, you only need to be aware of the "adleave" command and may not need to script this. This command can only be used on a machine with the Centrify agent (adclient) installed. Here is an exaple of how to use the command:

 

sudo adleave -user domainadmin

 

If you want to see the other options for this command, then just type the following:

 

sudo adleave -h

 

This command can be used in your own script. Unfortunately, the script that I provided is to be used as proof of concept and not supported by our Centrify Support team. If you still want assistance creating or modifying a custom script by a Centrify Professional Services consultant, then please contact your Centrify Sales Representative.

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel