...
Build notes | Bind Method / Configuration | Signingpacketsign | packetencrypt | AD Certificate | EncryptionLoginWindowLoginWindow | EC | dscl | EC queryeccl | |||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
10.14.6 | USB installer | BigFix/dsconfigad | allow | allow | N | 2889 typebind=0 | 1.8.1 | 2889 typebind=0 | n/a | ||||||
10.15.2 | USB installer | ||||||||||||||
Wireshark - SASL bind behavior
...
Splunk: index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"
ATL-MBP-018
Which Airwatch OU? — macOS standard supported policies
AD record? NOPE reassign profile YEP
EventCode="2889"
events as “AD\oidadder” during machine bind events as “AD\atl-mbp-018$” thereafter, periodically with login events too
create “atlauren” Andrew Fake logout login as “atlauren” local account -> events as machine account login to EC events as “ad\atlauren” EC reconnect events as “ad\atlauren” machine events on logout events from machine and user on login/EC
** move to Airwatch OU Experimental ** AD/Certificate profile lands new events for rebinding as oitadder, machine record in New Computers OU *is a complete rebind* move to OU
EC reconnect no events logout no events reboot events as machine record login atlauren event as atlauren EC reconnect event as atlauren
|
Appendix: DNS notes
Be sure and use AD DNS servers: 128.200.236.195, 128.195.143.166