dsconfigad(8) BSD System Manager's Manual dsconfigad(8)
NAME
dsconfigad -- retrieves/changes configuration for Directory Services
Active Directory Plugin.
SYNOPSIS
dsconfigad -h
dsconfigad -show [-lu username] [-lp password]
dsconfigad [-f] [-a computerid] -domain fqdn -u username [-p password]
[-lu username] [-lp password] [-ou dn] [-status]
dsconfigad -r -u username [-p password] [-lu username] [-lp password]
dsconfigad [-lu username] [-lp password] [-mobile enable disable]
[-mobileconfirm enable disable]
[-localhome enable disable] [-useuncpath enable disable]
[-protocol afp smb] [-shell value] [-uid attribute -nouid]
[-gid attribute -nogid] [-ggid attribute -noggid]
[-preferred server -nopreferred]
[-groups "group1,group2,..." -nogroups]
[-alldomains enable disable] [-enableSO]
dsconfigad -staticmap attribute-type attribute-value [-lu username]
[-lp password]
DESCRIPTION
This tool allows command-line configuration of the Active Directory Plug-
in. dsconfigad has the same functionality for configuring the Active
Directory plugin as the Directory Access application. It requires
"admin" privileges to the local workstation and to the Directory to make
changes.
A list of flags and their descriptions:
-h Lists the options for calling dsconfigad
-show Shows the current configuration of the Active Directory Plugin
-f Force the process (i.e., join the existing account or remove the
binding)
-a computerid
Add "computerid" to the specified Domain
-r Remove this computer from the current Domain
-status Print status information while adding computer to domain.
-u username
Username of a Network account that has administrative privileges
to add/remove this computer to/from the specified Domain
-p password
Password to use in conjunction with the specified username. If
this is not specified, you will be prompted for entry.
-lu username
Username of a local account that has administrative privileges
to this computer
-lp password
Password to use in conjunction with the specified local user-
name. If this is not specified, you will be prompted for entry.
-domain fqdn
The fully-qualified DNS name of the Domain to be used when
adding the computer to the Directory (e.g.,
domain.ads.demo.com).
-ou dn The LDAP DN of the container to use for adding the computer. If
this is not specified, it will default to the container
"CN=Computers" within the domain that was specified (e.g.,
"CN=Computers,DC=domain,DC=ads,DC=demo,DC=com"
-mobile enable disable
This flag determines whether the plugin will enable mobile
account support for offline logon (disabled by default). This
flag is a hint. If the appopriate Workgroup Management settings
exist for a user, this will not override, as directory settings
for the user take precendence.
-mobileconfirm enable disable
This flag determines whether the plugin will warn the user when
a mobile account is going to be created. This flag is a hint as
discussed in -mobile
-localhome enable disable
This flag determines whether the plugin forces all home directo-
ries to be local to the computer (i.e., /Users/username)
(enabled by default).
-useuncpath enable disable
This flag determines whether the plugin uses the UNC specified
in the Active Directory when mounting the network home. If this
is disabled, the plugin will look for Apple schema extensions to
mount the home directory.
-protocol afp smb
This flag determines how a home directory is mounted on the
desktop. By default SMB is used, but AFP can be used for use
with Mac OS X Server or 3rd Party AFP solutions on Windows
Servers (previously known as mountstyle)
-shell value
Use the specified shell (e.g., "/bin/bash") if a shell attribute
does not exist in the directory for the user logging into this
computer. Use a shell value of "none" to disable use of a
default shell, preserving values that are only specified in the
directory.
-uid attribute
This specifies the attribute to be used for the UID of the user.
By default, a UID is generated from the Active Directory GUID.
-nouid Turn off any previously mapped attribute and generate the UID
from the Active Directory GUID.
-gid attribute
This specifies the attribute to be used for the GID of the user.
By default, a GID is derived from the primaryGroupID of the user
(typically Domain Users).
-nogid Turn off any previously mapped attribute and use the GID from
the directory.
-ggid attribute
This specifies the attribute to be used for the GID of the
group. By default, a group GID is generated from the Active
Directory GUID of the group.
-noggid Turn off any previously mapped attribute and generate the group
GID from the Active Directory GUID.
-preferred server
Use the specified server for all Directory lookups and authenti-
cations. If the server is no longer available, it will fail-
over to other servers.
-nopreferred
Turn off any previously specified server and default to dynamic
server discovery.
-groups group1,group2,...
Use the listed groups to determine who has local administrative
privileges on this computer. Groups can be specified by domain
to ensure security is not compromised, e.g., "domain
admins@domain.ads.demo.com"
-nogroups
Disable use of the current groups for determining administrative
privileges on this computer.
-alldomains enable disable
This flag determines whether the plugin allows authentication
from any domain in the forest. When this is enabled, individual
domains will not be visible, only "All Domains". If it is dis-
abled, you will have the ability to select the specific domains
that can authenticate to this computer. Enabled by default.
-staticmap attribute-type attribute-value
Enable static mapping of an attribute-type to a specific
attribute-value for User records. Do not static map values such
as UID, RecordName and GeneratedUID as unexpected behavior will
occur. This is for use in other attributes that are not typi-
cally searched. Attribute types are Directory Service types
(i.e., "dsAttrTypeStandard:State"), see DirectoryServiceAt-
tributes(7).
-enableSO
(Server Only) When using MacOS X Server with Active Directory,
this enables SO for all supported services.
EXAMPLES
Adding a computer to a Directory:
dsconfigad -a ThisComputer -u "administrator" -ou
"CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com" -domain
domain.ads.apple.com
Giving a set of groups administrative access to the local computer:
dsconfigad -groups "DOMAIN\domain admins,FOREST\enterprise
admins,DOMAIN\desktop techs"
SEE ALSO
DirectoryService(8), DirectoryServiceAttributes(7)
Darwin March 6, 2010 Darwin
|
