Force unbinding with dsconfigad without using an Active Directory admin account
While developing a process to make it relatively easy for a someone with little Mac experience to unbind and rebind a Mac to an Active Directory domain, I ran across an interesting problem.
I wanted to use Apple’s dsconfigad tool but it wants to have a user account and password either specified as part of the command, or have the command specify a username and it will then prompt for the password. Since I was going to be scripting this, that meant that I would need to put the password in the clear.
While I was puzzling in IRC over the issue of a) putting an AD admin password in the clear for anyone with access to the script or b) attempting to remove the binding files and deal with the issues there, Tim Sutton asked a simple question: “Did you try giving a bogus user?”
No. I hadn’t.
As it turns out, if you’re forcing an unbind, dsconfigad only cares if you give it a user and password. It apparently doesn’t care whether the account actually exists in AD. Running the following command with root privileges will work fine to force a Mac to unbind from AD:
dsconfigad -force -remove -u johndoe -p nopasswordhere
Note: Running this command will only unbind the Mac. It does not remove the computer object from your Active Directory domain.