Useful Commands for OSX Administration
Over the years I have stored a file that has many of the day to day commands that I use to administer the computers at my workplace. After 4 years of saving these commands I am giving back and creating the ultimate post to aid all new sys admins out there.
The Adaptive Firewall
The most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:
afctl -dWhen run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:
afctl -eTo remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP)
sudo /usr/libexec/afctl -r ###.###.###.0/24To add an IP to the blacklist, use the -a option, also followed by the IP
sudo /usr/libexec/afctl -a ###.###.###.0/24To permanently add a machine to the whitelist, use -w with the IP
sudo /usr/libexec/afctl -w ###.###.###.0/24Recover a corrupt open directory
10.5, 10.6, and 10.7 have a recover tool that will help you recover a damaged or corrupt ldap directory.
sudo db_recover -h /var/db/openldap/openldap-data/Reset a corrupt open directory
Note, this should only be done in the event that there is no possible way to recover or restore the OD. This will completely destroy your servers open directory.
sudo slapconfig -destroyldapservermkpassdb -dumpChange computer name
Change the computer name over ARD or SSH.
networksetup -setcomputername <name>Cleanup files from users computers
We do not allow .torrent files on users computers, so I run this via ARD every morning on the entire network. I later adapted these commands to a script that runs on login.
rm -vrf ~/Downloads/*.torrent
rm -vrf ~/Desktop/*.torrent
rm -vrf ~/Documents/*.torrentEstablish Jailed SSH
This command will allow you to establish a secure connection over ssh with an encrypted key pair.
cat ~/.ssh/id_dsa.pub | ssh root@xx.xx.xx.xx 'cat - >> ~/.ssh/authorized_keys'Unison
Unison is an amazing utility that runs as a service on OSX that will do two way file syncing over ssh or locally. When setting up Unison you must copy it to /usr/bin/ and then create this directory for it to run.
mkdir ~/.unisonFor more information on Unison you should check out this site.
Running A Unison Batch
You can run this command with Unison to start a file syncronization.
unison -batch "/SRC/Dest/" ssh://someuser@xx.xx.xx.xx/Dest/Folder/Check a user record
Often times its easier to lookup an account and see its attributes in the terminal rather than using Workroup Manager.
dscl -u diradmin -P <diradmin passwd> /LDAPv3/fully.qualified.domain -read /Users/usernameSync MYSQL between servers
If you need to do a backup from one MYSQL database to another you can use this command to do so. You can also use this as a way to dump a database to a different server.
mysqldump --user=<username> --password=<passwd> <dbname> | ssh <username>@xx.xx.xx.xx -p8286 mysql --user=<username> --password=<passwd> <dbname>RSYNC to remote server
Sometimes you need to backup files across a network to a different computer this method allows you to do that over a secure ssh connection.
rsync -av -e ssh /SRC/Folder/ --rsh='ssh -p8286' <username>@xx.xx.xx.xx:/DEST/Folder/Force remove a broken OD replica
OD Replicas can be tricky, over time they can fail and sometimes when a replica fails, and you decommission it, it does not get fully removed on the OD Master. Here is how to update the Master to remove that stubborn old replica record.
/var/db/authserver
mkpassdb -dump
slapconfig -removereplica xx.xx.xx.xxFix broken Mobile Account run on the local machine
Mobile accounts sometimes need to be removed from the local computer locally. Here is a simple terminal command to remove a mobile account from a local machine.
dscl . -delete /Users/userNameChange local password with ARD
This is the easiest way to change user passwords on remote computers with ARD. You can also use secure SSH but ARD is much easier.
dscl . -passwd /Users/userName newpass newpassEnable ARD remotely
How can you enable ARD on a computer system that you have SSH access to? Hers how!
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -restart -agent -privs -allFix SSL on servers
Sometimes SSL on an OSX Server can break, here is how to get it back up and running for your server and all of the ssl sites.
- Put the bundle package “gd_bundle.crt” in the /etc/apache2/ directory
sudo pico /etc/apache2/httpd.conf- Enter this line in the SSL block
SSLCertificateChainFile "/etc/apache2/gd_bundle.crt"Fix Apple SUS
This sometimes happens, where the symlinks on the server will break, instead of changing all the clients to point to the other catalog that you mentioned, I changed the symbolic link at the server to point to it instead. In Teminal at the server:
cd /var/db/swupd/htmlsudo rm index.sucatalogsudo -u _softwareupdate ln -s /var/db/swupd/html/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog index.sucatalogEnable Screen Share (VNC) from Terminal
cd /Library/Preferences
echo -n enabled > com.apple.ScreenSharing.launchdRemotely Set Volume level on a computer
sudo osascript -e "set Volume 10"Manually Set SUS in OSX
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL https://fully.qualified.domain:8088/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalogRemove Microsoft License
If your not fortunate enough to be using a site license for Microsoft Office then you can remove or revoke a license in the terminal like this.
sudo rm ~/Library/Preferences/Microsoft/Office 2008/Microsoft Office 2008 Settings.plist
sudo rm /Applications/Microsoft Office 2008/Office/OfficePID.plistSearch and replace in SQL
UPDATE wp_posts SET post_content = replace(post_content,"coolstuff.com","lancelhoff.com")Change Mailman Password
How to quickly change the mailman password on an OSX Server installation.
cd /usr/share/mailman/bin/./mmsitepass- Change password
Export Mailman Lists
How to export Mailman Lists to text files on an OSX Server installation.
cd /usr/share/mailman/bin/./list_lists./list_members FWW-Internal > ~/Desktop/somefile.txtReset the localKDC
This is important to do, if you do not do this, you will not be able to bind your computer after an ASR restore to an OSX Directory. Tools like Deploy Studio Server and Casper run these commands for you.
- Delete all 3 com.apple.kerberos.kdc in the login keychain
sudo rm -fr /var/db/krb5kdcsudo /usr/libexec/configureLocalKDCRestart the Wiki Service
sudo serveradmin stop teams
sudo serveradmin start teamsList out the size of folders on the file system
sudo du -d 1 -h -x /Volumes/HDName/Change the way the dock behaves
Use Suck instead of Scale
defaults write com.apple.dock mineffect -string suck
killall FinderReport on all activity from a specific user
Good for seeing exactly what users are doing on the server or on their computers.
ps aux | grep "root" | more >> ~/rootreport.txtExport a list of contacts from MailMan OSX Server
/usr/share/mailman/bin/list_members list_name > saved_subscribersRestart the Mail Service Remotely
sudo serveradmin stop mail && sudo serveradmin start mailStart the SSH service on a server remotely
echo "AdminsPassHere" | sudo service ssh startEnable universal access remotely
osascript -e 'tell application "System Events"' -e 'tell application processes' -e 'key code 28 using {command down, option down, control down}' -e 'end tell' -e 'end tell'Change email from html to plain text only
defaults write com.apple.mail PreferPlainText -bool TRUEChange the scrollbars in OSX
This will change how the scrollbar works there will be an up and down arrow, this only works in 10.5, 10.6.
defaults write "Apple Global Domain" AppleScrollBarVariant DoubleBothShow hidden files in OSX
defaults write com.apple.finder AppleShowAllFiles TRUEEject a stubborn or stuck disk remotely
disktool -e disk#Change the text in the login window
sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Hi, I have missed you!"Change the dock size
defaults write com.apple.dock largesize -int 512
killall FinderChange the icon size
defaults write com.apple.finder DesktopViewOptions -dict IconSize -integer 512
killall FinderChange the desktop tile size
defaults write com.apple.dock tilesize -int 256Remove Spotlight from OSX
This will destroy spotlight until you run repair permissions.
sudo chmod 0 /System/Library/CoreServices/Spotlight.app
killall SpotlightRestart the ethernet port
sudo ifconfig en0 downCopy a file remotely
scp test.zip adminname@fully.qualified.domain:~/DesktopSee the Serial Number of your 10.6 Server
You can obtain the Mac OS X Server serial number (for Snow Leopard) via the command line. At the Terminal on the server itself (or via ssh if you wish), type:
more /etc/systemserialnumbers/xsvrAI Usage Transparency Report
Pre-AI Era · Written before widespread use of generative AI tools
AI Signal Composition
Score: 0.06 · Low AI Influence
Summary
A collection of terminal commands for administering OSX servers, including firewall management, directory recovery, and password changes.
Related Posts
Discovering Mole: A Command Line Utility for Mac Cleaning
Caches pile up, apps leave behind junk, and disk space slowly disappears. While there are plenty of GUI tools out there, most of them either lack transparency or feel overly bloated.
Deploy Firmware Passwords
There's no doubt that the security of our computers these days is a very sensitive topic. I have helped several of my clients protect their Mac systems by setting firmware passwords. However, this process can be time-consuming and labor-intensive when dealing with large numbers of machines. But what if you have hundreds or thousands of computers you want to have a firmware password set on?
Enable Accessibility Apps via ARD
I am always looking for ways to use Automator to make my life easier. Its a great tool that offers some impressive capabilities, my favorite of course is the ability to record UI events and convert that into a workflow or even a stand-alone app that you can then deploy and run via ARD. This feature in particular has been a game-changer for me, allowing me to automate repetitive tasks with ease and streamline my workflow.
Roll your own DNS monitoring with DIG, Bash & CRON
If your like me your always looking for ways to be notified of things changing in your IT Environment. There are many tools that you can use to help do this. StatusCake is a great free online tool for monitoring website and IP level uptime and downtime with baked in email notifications. Zeonoss and NAGIOS are great tools that can offer the same with SNMP Monitoring baked in as well.
Authenticate with AD credentials via ARD / SSH
Binding a Mac to an AD is fairly straight forward. Most Mac Admin's worth their salt, know how this is done, many know how to do this via the command line. Once your Mac is bound, authentication is easy, local authentication that is. But what if you want to use your secure AD credentials over an SSH or Apple Remote Desktop connection? Well thats when things need a bit more configuration. Having recently deployed a series of servers with this configuration I figured I would share some of the commands...
Fontrestore, Apple’s fix for your fonts
FontAgent Pro is a great font management solution for OS X. One of the best things about it is that its 100% cloud based. You can run the entire thing hosted in their cloud instance or you can run it on your own server. It's a great solution for font management, and does everything from managing your font licenses, users, libraries, and sets. The one problem however is the fact that when deploying a new font solution, you find yourself in a quandary over the right way to deploy it....
Protect your Mac!
Apple computers recently have exploded in popularity, Apple stock is soaring and Apple computers are now and have been for some time prime real estate for sticky fingers. So what is an Apple user to do? Keep your beloved computer locked up? With the threat of loss, or theft of Apple devices being a reality, many companies and solutions have emerged in the marketplace to address this growing concern.
Install Zenoss on 10.9 Mavericks with VMWare Fusion
If you are a network (or systems) administrator, you know how crucial it is to have the right tools for the job. One of the toughest tools to really nail down is a network monitoring tool. Although there are plenty of such tools out there, they range from the over-priced to the under-featured. Where do you look for any sort of middle ground where features don’t lose out to price?
10.9 Deploying Mac App Store Packages
If your like me then your happy that Apple has made several of their wonderful software titles free recently, specifically iLife and iWork for Mavericks. Apple has a defined workflow for deployment of these systems. Their method is to have companies enroll into their Volume Licensing Program once enrolled you can download apps from the app store and the iOS store and deploy these seamlessly to your devices with Profile Manager for Mavericks.
10.9 Mavericks, AutoDMG a match made in heaven
If your like me then you have an entire organization of users who are itching to get their hands on the latest Mavericks operating system and have been told to wait, we are testing. Truth is that its already been tested. I tested it all through the various developer builds and the issues have for the most part been very minimal which is great for a .0 release. However the issue really has been how are we going to deploy it.
