Home > Active Directory, Mac administration, Mac OS X > Force unbinding with dsconfigad without using an Active Directory admin account

Force unbinding with dsconfigad without using an Active Directory admin account

October 9, 2013 Leave a comment Go to comments

While developing a process to make it relatively easy for a someone with little Mac experience to unbind and rebind a Mac to an Active Directory domain, I ran across an interesting problem.

I wanted to use Apple’s dsconfigad tool but it wants to have a user account and password either specified as part of the command, or have the command specify a username and it will then prompt for the password. Since I was going to be scripting this, that meant that I would need to put the password in the clear.

While I was puzzling in IRC over the issue of a) putting an AD admin password in the clear for anyone with access to the script or b) attempting to remove the binding files and deal with the issues there, Tim Sutton asked a simple question: “Did you try giving a bogus user?”

No. I hadn’t.

As it turns out, if you’re forcing an unbind, dsconfigad only cares if you give it a user and password. It apparently doesn’t care whether the account actually exists in AD. Running the following command with root privileges will work fine to force a Mac to unbind from AD:

dsconfigad -force -remove -u johndoe -p nopasswordhere

Screen Shot 2013-10-09 at 5.01.39 PM

Note: Running this command will only unbind the Mac. It does not remove the computer object from your Active Directory domain.

Categories: Active Directory, Mac administration, Mac OS X
  1. Anonymous
    October 9, 2013 at 10:49 pm
    Reply

    This works in the GUI too, at least if it was originally joined with the -force flag.

  2. Daniel Bruelisauer
    February 27, 2014 at 8:49 am
    Reply

    Is there a way to remove the computer object from the Active Directory domain? Would save some manual work.

    • Al
      October 21, 2016 at 1:42 am
      Reply

      Hi Daniel,
      We’re you able to automate removing a computer object from the Active Directory domain? It would be great to first have Rich’s command
      dsconfigad -force -remove -u johndoe -p nopasswordhere

      then the script remove the device from AD

  3. bigmaconcampus
    January 7, 2015 at 5:18 pm
    Reply

    Helped me automate a way to fix random AD issues. Thanks!

  4. Rob
    July 6, 2021 at 11:12 pm
    Reply

    I’m trying to do this with an AD server that is encrypted with ransomware. This does not seem to work as when I use the terminal resetpassword in recovery mode, it still says the authenticating server can not be reached. Any idea how to do this when the AD server is offline?

  5. STUBAKKA
    March 16, 2022 at 6:33 pm
    Reply

    Very useful , even all these years later!

  1. No trackbacks yet.

Leave a comment