Wednesday, October 25, 2017

Unbind Active Directory from OS X

When your enterprise uses Active Directory for identity management, the OS X user account by default will be bound to the AD service. The convenience it brings is that we can change the AD account password by changing the OS X user account password and all services like WiFi, printer authentication will be updated as it will update the keychain as well. If the OS X user account is not bounded, we will have to manually remove/update the necessary cached service password from keychain each time. However, it is problem that the AD will get information on local OS X account activity and will get synced when connected to the internal network. You cannot be a ghost then. Now comes the unbinding part.
1. Check current AD settings
sudo dsconfigad -show
If bounded, it will print something like,
Active Directory Domain          = stalker.weird.org
Computer Account                 = xxx

Advanced Options - User Experience
  Create mobile account at login = Enabled|Disabled
     Require confirmation        = Enabled|Disabled
  Force home to startup disk     = Enabled|Disabled
     Mount home as sharepoint    = Enabled|Disabled
  Use Windows UNC path for home  = Enabled|Disabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = xxx
  Mapping user GID to attribute  = xxx
  Mapping group GID to attribute = xxx
  Generate Kerberos authority    = Enabled|Disabled

Advanced Options - Administrative
  Preferred Domain controller    = xxx
  Allowed admin groups           = xxx
  Authentication from any domain = Enabled|Disabled
  Packet signing                 = xxx
  Packet encryption              = xxx
  Password change interval       = 000
  Restrict Dynamic DNS updates   = xxx
  Namespace mode                 = xxx
2. Install Enterprise Connect app from Apple that will help us to easily reconnect and change AD password. The org IT must support it. You won't find it in the App store.
3. Unbind AD.
dsconfigad -f -r -u <ad_username>
This above command will unbind the OS X user account from the AD server. Check if AD service is active by running the command in step 1 again. It should print nothing.
4. Next if we need to bind to AD, use Enterprise Connect -> Reconnect -> Change Password. Which is easy way. Else we can use dsconfigad utility to do the binding.

Enjoy stealth mode.
Labels: