==== Adding Macs to a AD Domain ==== Read the doco, update the script with your domain details. Run the script, presto! {{:sysadmin:macmigrations.docx|Documentation}} #!/bin/sh # macad.sh - Script to join Macs to an AD domain # # Peter Fowler # Version: 1.0.3 # Date: 16/11/2011 # # Change History # 16/11/2011 - 1.0.0 Release # 25/11/2011 - Ask if local profile to be migrated, if not, still # allow the script to joing to the domain # - Check that mcs.usyd.edu.au can be resolved, otherwise die # - Added fallback method of AD lookups if directory # utility has not been installed on this mac # - Use join unikey to test if joined to the domain # 20/02/2012 - Ask if profile migration is required. # - Various bug fixes on profile migration # 20/10/2016 - Updated to use simple method for users home drive (No NFSHomeDirectory anymore) # - Added ability to run profile migration only for multi-user Mac's # - Option to add administrative user rights during profile migration # - Check time against the AD server, quit if OFFSET > 30 seconds # - createmobileaccount - work around for 10.11 not creating mobile accounts with dsconfigad # # VERS=1.0.3 if [ "$1" == "-v" ]; then echo $VERS exit 0 fi uid=$(id -u) if [ $uid -ne 0 ]; then echo "This script must be run a root" echo "" echo "Type: sudo -s" echo " then rerun the script" echo "" exit 1 fi # # Check time offset from MCS servers # NTPSERVER=letts.mcs.usyd.edu.au OFFSET=$(ntpdate -q $NTPSERVER | grep server | tail -n 1 | awk '{print $(10)}') NOSYNC=0 if [ $(echo "$OFFSET > 30" | bc) -eq 1 ]; then NOSYNC=1; fi if [ $(echo "$OFFSET < -30" | bc) -eq 1 ]; then NOSYNC=1; fi if [ $NOSYNC -eq 1 ]; then echo -n "Time is not set correctly: " echo $(date) echo " Offset is $OFFSET" echo exit 2 fi # # Domain options # domain="mcs.usyd.edu.au" ou="ou=Desktops,DC=mcs,DC=usyd,DC=edu,DC=au" admingroups="MCS\domain admins" # These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\mac admins") # # Advanced options # alldomains="enable" # 'enable' or 'disable' automatic multi-domain authentication localhome="enable" # 'enable' or 'disable' force home directory to local drive protocol="smb" # 'afp' or 'smb' change how home is mounted from server mobile="enable" # 'enable' or 'disable' mobile account support for offline logon mobileconfirm="disable" # 'enable' or 'disable' warn the user that a mobile acct will be created useuncpath="disable" # 'enable' or 'disable' use AD SMBHome attribute to determine the home dir user_shell="/bin/bash" # e.g., /bin/bash or "none" preferred="-nopreferred" # Use the specified server for all Directory lookups and authentication # (e.g. "-nopreferred" or "-preferred ad.server.edu") computerid=`/usr/sbin/scutil --get LocalHostName` udn="" password="" # Check that we can locate the mcs domain host $domain > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "Could not find $domain" echo "Check network settings and DNS" exit 1 fi; # We dont always have to migrate a profile while [ ${#profmig} -eq 0 ]; do read -p "Migrate a local profile? (y/n)" profmig done if [ "$profmig" == "y" ]; then while [ ${#unikey} -eq 0 ]; do read -p "Enter users unikey: " unikey done # Check if the user already exists. Could be an indication # that the local profile hasnt yet been removed id $unikey > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "User $unikey found in database, have you removed the user?" echo " Could also mean the Mac is already on the domain..." read -p "Hit return to continue, Ctrl-C to cancel" fi # Get the users home directory. It will have (Deleted) appended to the # home after its been removed from the local. found=0 while [ $found -eq 0 ]; do read -p "Enter local profile home directory: " lhome if [ -z "$lhome" ]; then continue; fi localuser=$(basename $lhome) deletedhome=$(echo "$lhome (Deleted)") if [ -d "$lhome" ]; then found=1; elif [ -d "$deletedhome" ]; then lhome=$deletedhome found=1; else echo "Home not found at $lhome, try again" fi done echo "Found home at $lhome" echo "" fi # We dont always have to migrate a profile while [ ${#dommig} -eq 0 ]; do read -p "Join to MCS domain? (y/n)" dommig done if [ "$dommig" == "y" ]; then # Our hostname must be less then 15 characters. If the auto-detected # name is longer, ask for a shorter one. while [ ${#computerid} -ge 15 ]; do echo "computer id too long: $computerid" read -p "Enter a shorter computer id (Less then 15 characters): " computerid done echo "" # Get credentials of someone authorised to join computers # to the domain. Usually the migration persons unikey while [ ${#udn} -eq 0 ]; do read -p "Enter Domain privileged unikey (To join domain with): " udn done while [ ${#password} -eq 0 ]; do read -s -p "Enter Domain privileged password for $udn: " password echo "" done echo "" # Activate the AD plugin defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist sleep 5 # Bind to AD dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou" if [ $? -ne 0 ]; then echo "Could not verify AD join, check your domain user/pass" exit 1 fi # Configure advanced AD plugin options if [ "$admingroups" = "" ]; then dsconfigad -nogroups else dsconfigad -groups "$admingroups" fi dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \ -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \ -shell $user_shell $preferred # Restart DirectoryService killall DirectoryService sleep 5 # Add the AD node to the search path if [ "$alldomains" = "enable" ]; then csp="/Active Directory/All Domains" else csp="/Active Directory/$domain" fi # Makes 'Name and password' the Login Window display defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3 defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 3 plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist killall DirectoryService sleep 5 # Check if we have a successful connection. If not, we # can try the method for macs that don't have the # directory utility installed id $udn > /dev/null 2>&1 if [ $? -ne 0 ]; then dscl /Search -create / SearchPolicy CSPSearchPath dscl /Search -append / CSPSearchPath /Active\ Directory/All\ Domains dscl /Search/Contacts -create / SearchPolicy CSPSearchPath dscl /Search/Contacts -append / CSPSearchPath /Active\ Directory/All\ Domains killall DirectoryService sleep 5 id $udn > /dev/null 2>&1 if $? -ne 0 ]; then echo "Could not lookup MCS users, this machine is not using a default image" echo " Being a Mac sysadmin would probably help you out a lot right now" echo "" echo "A reboot might help" exit 1 fi fi echo "" echo "Join successful, can lookup MCS ID's" echo "" else echo "No domain migration will be performed" fi # # Profile migration stuff # if [ "$profmig" != "y" ]; then echo "No profile migration selected. Done :-)" exit 1 fi id $unikey > /dev/null 2>&1 if [ $? -ne 0 ]; then echo "Could not get id for $unikey, is Mac joined to the domain?" exit 1 fi # Work around for mobile accounts not activating in 10.11 /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $unikey 2>&1 > /dev/null # Different ways to get the users home directory # doesnt seem supported anymore #NEWHOME=$(dscl localhost read "/Active Directory/All Domains/Users/$unikey" NFSHomeDirectory | awk -F: {'print $2'} | sed 's/^ //g') # Not populated until the user logs in for the first time #NEWHOME=$(dscacheutil -q user -a name $unikey | grep dir | awk '{print $2}') # Sometimes the simple is the best NEWHOME="/Users/$unikey" # Maybe try (Will prevent need to move home directory): #NEWHOME=$(dscl . -change Users/$unikey NFSHomeDirectory OLDHOMEDIR NEWHOMEDIR) if [ -z "$NEWHOME" ]; then echo "Could not find the path for new home, must do manual profile migration" exit 1 fi if [ "$NEWHOME" == "Invalid Path" ]; then echo "Could not read the new home path" exit 1 fi echo "New Home: $NEWHOME" echo "" echo "" echo "Migrating the profile" echo "" if [ "$lhome" == "$NEWHOME" ]; then echo "$lhome already exists in location, skipping move" else mv "$lhome" "$NEWHOME" fi chown -R $unikey "$NEWHOME" chmod -R 700 "$NEWHOME" while [ ${#admrights} -eq 0 ]; do read -p "Give user $unikey administrative rights? (y/n)" admrights done if [ "$admrights" == "y" ]; then /usr/sbin/dseditgroup -o edit -a "$unikey" -t user admin; echo "Admin rights given to this account"; fi echo "" echo "All done... "