Wednesday, October 25, 2017

Unbind Active Directory from OS X

When your enterprise uses Active Directory for identity management, the OS X user account by default will be bound to the AD service. The convenience it brings is that we can change the AD account password by changing the OS X user account password and all services like WiFi, printer authentication will be updated as it will update the keychain as well. If the OS X user account is not bounded, we will have to manually remove/update the necessary cached service password from keychain each time. However, it is problem that the AD will get information on local OS X account activity and will get synced when connected to the internal network. You cannot be a ghost then. Now comes the unbinding part.
1. Check current AD settings
sudo dsconfigad -show
If bounded, it will print something like,
Active Directory Domain          =
Computer Account = xxx

Advanced Options - User Experience
Create mobile account at login = Enabled|Disabled
Require confirmation = Enabled|Disabled
Force home to startup disk = Enabled|Disabled
Mount home as sharepoint = Enabled|Disabled
Use Windows UNC path for home = Enabled|Disabled
Network protocol to be used = smb
Default user Shell = /bin/bash

Advanced Options - Mappings
Mapping UID to attribute = xxx
Mapping user GID to attribute = xxx
Mapping group GID to attribute = xxx
Generate Kerberos authority = Enabled|Disabled

Advanced Options - Administrative
Preferred Domain controller = xxx
Allowed admin groups = xxx
Authentication from any domain = Enabled|Disabled
Packet signing = xxx
Packet encryption = xxx
Password change interval = 000
Restrict Dynamic DNS updates = xxx
Namespace mode = xxx
2. Install Enterprise Connect app from Apple that will help us to easily reconnect and change AD password. The org IT must support it. You won't find it in the App store.
3. Unbind AD.
dsconfigad -f -r -u <ad_username>
This above command will unbind the OS X user account from the AD server. Check if AD service is active by running the command in step 1 again. It should print nothing.
4. Next if we need to bind to AD, use Enterprise Connect -> Reconnect -> Change Password. Which is easy way. Else we can use dsconfigad utility to do the binding.

Enjoy stealth mode.