We help top organizations stay competitive, by implementing the latest disruptive technologies.

Latest Posts

Bind macOS to Active Directory Using a Shell Script

Bind macOS to Active Directory Using a Shell Script

In the first part of January, I released a post discussing how you could bind a Mac to Active Directory using configuration profiles. In my opinion, using a configuration profile to bind a Mac machine is the preferred method, but it is not the only way.

Apple has a utility called dsconfigad, built into the OS itself, that can be leveraged via a shell script. Essentially, the dsconfigad tool allows command-line configuration of the Active Directory as if you were using the Directory Utility application to manually configure Active Directory.

If you run ‘man dsconfigad’ inside of Terminal, you’ll see all of the available options and details of what would be required and optional.

In my example script, I used just four of the available flags.


Example: -add fully.qualified.domain.name
 The fully-qualified DNS name of the Domain to be used when
 adding the computer to the Directory (e.g., domain.ads.exam-



Example: -username administrator
 Username of a Network account that has administrative privileges
 to add/remove this computer to/from the specified Domain



Example: -password mySecretPassword
 Password to use in conjunction with the specified username. If
 this is not specified, you will be prompted for entry. Note
 that using this option has a security risk due to a small window
 where the password could be captured from running process list.
 Consider using the prompting mechanism to ensure passwords are
 not exposed unexpectedly.



Example: -computer computerid
 The "computerid" to add the specified Domain

Below is my full script including the shebang and variables.

Full Script


# domainBind.sh
# Created by Bennett Norton on 11/14/16.
# This script will bind a Mac to the specified Active Directory domain

# Script Variables
computerID=$( scutil --get ComputerName )

# Do the domain binding
dsconfigad -add "${adDomain}" -username "${adminUser}" -password "${adminPassword}" \
-computer "${computerID}"

As can be seen, the script to bind a Mac to a domain can be fairly straight forward. I’ve added in a couple of variables to make it easy for you to copy my script and use it directly or you can just download it from GitHub. Just change out the variable results with your specific domain, username and password. You can leave the computerID variable to the call I make to obtain the ComputerID from the computer itself, or you can insert your own. That part is up to you.

If any of you are wondering if I really am putting a username and password in clear text within this script and thinking I am crazy, then know your curiosity is well founded. This is the exact reason I prefer to use a configuration profile as opposed to a script. However, it is not too hard to setup a unique account that can bind a machine but that does not have any other privileges…just in case this account is somehow compromised.

In addition, while I don’t include this step in my example script above, you may choose to delete the file copied down as your last command in the script. That way it’s not just sitting around on a machine waiting for some wondering eyes to discover it.

Just make sure that when you’re all done with your script, that you give it the execute permissions it needs

chmod +x /path/to/your/script.sh


Create Your Package for LANDESK Management Suite

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menubar, press the New Package button and select New Macintosh Package > Macintosh Agent.
  5. Give the package a name, something like Domain Bind Script
  6. Provide a description if desired
  7. Set the primary file to the sh file you previously created
  8. Fill out the Metadata details if desired
  9. Save the package


Deploy Your Package

  1. Right click on the Domain Bind Package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push.
  5. If you desire the end user to be able to initiate the domain bind action, set the radio button in the Portal Settings to either Recommended or Optional, otherwise set it to Required and it will automatically apply the next time the client is scheduled to run policies
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time
No Comments

Post A Comment