You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2012-10-26 13:33:06

sven
Member
Registered: 2012-10-26

AD binding with Centrify

Is it possible to add a workflowtool for AD binding with Centrify?
Does someone have already script this?

TX
Sven

Offline

#2 2012-11-19 19:44:15

cabbage
Member
Registered: 2012-04-16

Re: AD binding with Centrify

If you can figure it out please share.  I know it's possible with Casper.  The issue I currently have is the domain admins password is not encrypted.

Offline

#3 2013-02-27 01:12:13

MachineShedFred
Member
Registered: 2013-01-31

Re: AD binding with Centrify

I'm doing this via a delayed execution script, using the adjoin command:

adjoin domain.com -u $USER -p $PASS -c $OU -s read-write-dc.domain.com -w

Just put a service account and password in the variables above in your script, and either put in a static OU, or determine it by other means (I'm doing a DNS short-name query that gives me the site suffix, which tells me where the Mac is.)

leave off the -w if you are using zones: -w gives you autozone.

Offline

#4 2013-02-27 09:46:35

sven
Member
Registered: 2012-10-26

Re: AD binding with Centrify

How do you do the delayed execution of the Script?
I had the same Idea, but in a single Run of a DeployStudio Workflow, the script always runs bevor the mashine is renamed with the correct hostname.
So, the ADJoin always fails.

Offline

#5 2013-02-27 13:52:32

MachineShedFred
Member
Registered: 2013-01-31

Re: AD binding with Centrify

I have another delayed execution script that renames the Mac, which is farther left in the workflow - I'm not using the built-in renaming functionality in DeployStudio because sometimes we want a Mac to get a different name (asset transfers departments, locations, etc.).  I also have a couple other actions in there in between just to give a time buffer for everything to settle.

Overall, my workflow does this after the reboot:

Machine rename
Clean out all network locations, recreate Automatic, and an "Office" location with proxy settings for Ethernet and Wi-Fi if present
Install encryption agent if it's a laptop (hint: sysctl hw.model | grep "book")
Install Java base PKG
Install Java latest update (Java 7 Update 15 at this time)
Install Centrify agent
Set NTP servers script (I set both an internal domain controller, as well as an external NTP for laptops that leave the safe confines of our network)
Install antivirus package
Join AD script
Install FileWave agent
Copy CIS logon notice page thing
script to do various cleanup of odds and ends that are out of place
reboot

For the script commands to fully rename a mac:
scutil --set ComputerName "name"
scutil --set LocalHostName "name"
scutil --set HostName "name"

Offline

#6 2013-02-28 07:52:53

appliey
Member
Registered: 2013-02-28
Website

Re: AD binding with Centrify

I think it can do.

Offline

#7 2013-02-28 22:22:18

Meat
Member
From: SF CA US
Registered: 2009-02-04

Re: AD binding with Centrify

> cabbage wrote:

> If you can figure it out please share.  I know it's possible with Casper.  The issue I currently have is the domain admins password is not encrypted.

You should set up an AD "service" account that just has the rights to add/remove machine records. That way, even if you can't pass an encrypted password, the damages associated with a leaked password for the account would be limited to unbinding machines.

As far as I can tell, domain admin accounts generally should not be used for scripted/automated processes like this.

Offline

Board footer

Powered by FluxBB