AD plug-in contacting Domain Controllers

Perbix, Michael PERBIX at lmsd.org
Mon Aug 6 08:32:34 PDT 2007 

Does anyone know how OSX contacts the Domain Controllers when configured
for AD.  On the Windows side, the DC's are contacted at least once a
month, and a timestamp is indicated on the computer account of last time
the computer "checked in".

Does OSX work the same way?  

What we would like to do is cut down on the amount of "rogue" computer
entries in AD that have come about from laptops being renamed and
re-imaged.  What happens is the old computer account remains and then a
new account is created under the new name.  What I would like to do is 2
fold.  I would like to look at the AD computer accounts by DATE and
delete older ones that have not been updated in a few months time.
Also, I would like to script something so that on imaging a pre-action
script can check the AD for the existing computer name, MAC address, or
new name, then delete the old account if needed.  If the name is the
same, then there is no issue, if the name is NOT the same then it should
delete the old account before imaging.  Can I search AD for computer
account name AND search via MAC address from OSX?

I would asume the only time I need to delete a computer account is if
the computer name is different than the account existing in AD...so the
workflow would be like this...

Look at old computer name in ready to be imaged HD
	if old name matches new name, do nothing
	If old name is different than new name, delete account under old
name.
Look at MAC address and search AD for any accounts containing that MAC
	if old name matches new name, do nothing
	if old name is different than new name, delete account under old
name.
REPEAT until no more matches found.

This way, upon reimaging the AD will be cleaned up as you go.

Now, I know that this should also be the Technicians duty, before
imaging, to unbind and thereby removing the old account...etc...but if I
can automate it in any way, I would like to.

So to summarize...

Does AD plugin contact AD DC's on a regular defined basis and update
that time stamp?  If so, how often?
How do I search AD for computer account name and MAC address?

Does anyone else address this situation with a mass number of OSX
clients on a regular basis?

Thank you.

More information about the MacOSX-admin mailing list