One longstanding bug with joining Mac workstations to Active Directory is mysteriously, for reasons I have yet to pinpoint, a Mac will become unbound from the AD… but the Mac gives no indication that the binding has been lost. A green dot will continue to show when viewing the Network account Server status, instead of a red dot indicating a communication failure.
Typically the user of the Mac will not be aware they’ve lost AD binding until their AD password expires. Often times this leads to the AD and Mac passwords getting out of sync, the user possibly getting locked out of their Mac, and a variety of Keychain problems. Most of the time you can un-join and re-join the Mac to AD, and the user account will start working again after fiddling with the Keychain, but there are scenarios that can cause data loss if the process isn’t done correctly. The un-join/re-join process also requires knowing an AD network administrator’s credentials, and it must be done while logged in using a local admin account. It is not easy to perform remotely.
This AD issue is interment and might only occur once or twice over the lifespan of the Mac, or may never surface at all.
While I don’t have a solution for this yet, Carlos Cardona (the new Mac field engineer in Chicago) recently taught me a way to use the Terminal to check to see if a Mac was actually bound to AD or not. While the user is logged in to their Mac, run the following command in Terminal: id
The id command will return details about the identity of the logged in user, including all the groups they are a member of. If you only see OS X groups, and don’t see AD groups, then the Mac is not joined to AD.
Another way to use the id command is to run it for an AD user account that has never logged into the Mac before. For example, let’s say there’s an AD user account named ac_admin, but the Mac has never logged in with this account (or it hasn’t been created locally). If you run the following command in the Terminal, you should see details of about this AD account: id ac_admin
If the Terminal responds “no such user”, and you’re sure this account exists in AD, then the Mac is not joined to AD.
For our clients that have Mac workstations joined to AD, I can see this as a beneficial command to run during proactive All Covered onsite visits. If a Mac is found to be unbound, the engineer can correct the problem before it becomes a bigger one later.