Force unbinding with dsconfigad without using an Active Directory admin account
While developing a process to make it relatively easy for a someone with little Mac experience to unbind and rebind a Mac to an Active Directory domain, I ran across an interesting problem.
I wanted to use Apple’s dsconfigad tool but it wants to have a user account and password either specified as part of the command, or have the command specify a username and it will then prompt for the password. Since I was going to be scripting this, that meant that I would need to put the password in the clear.
While I was puzzling in IRC over the issue of a) putting an AD admin password in the clear for anyone with access to the script or b) attempting to remove the binding files and deal with the issues there, Tim Sutton asked a simple question: “Did you try giving a bogus user?”
No. I hadn’t.
As it turns out, if you’re forcing an unbind, dsconfigad only cares if you give it a user and password. It apparently doesn’t care whether the account actually exists in AD. Running the following command with root privileges will work fine to force a Mac to unbind from AD:
dsconfigad -force -remove -u johndoe -p nopasswordhere
Note: Running this command will only unbind the Mac. It does not remove the computer object from your Active Directory domain.
This works in the GUI too, at least if it was originally joined with the -force flag.
Is there a way to remove the computer object from the Active Directory domain? Would save some manual work.
Hi Daniel,
We’re you able to automate removing a computer object from the Active Directory domain? It would be great to first have Rich’s command
dsconfigad -force -remove -u johndoe -p nopasswordhere
then the script remove the device from AD
Helped me automate a way to fix random AD issues. Thanks!
I’m trying to do this with an AD server that is encrypted with ransomware. This does not seem to work as when I use the terminal resetpassword in recovery mode, it still says the authenticating server can not be reached. Any idea how to do this when the AD server is offline?
Very useful , even all these years later!