4

We have deployed a new Windows Server 2012 Active Directory infrastructure for an environment that previously contained no central mechanism for user authentication. All client computers are Mac OS X 10.9 Mavericks that use local accounts. My objective is to retain the data in the local user accounts stored in /Users but allow the AD user to gain ownership so the local accounts can be decommissioned. The home folders will remain local - they will not be network or mobile homes.

For example: A computer has a local account with shortname johndoe and matching home folder /Users/johndoe. I create a new user in Active Directory with shortname john. I want to be able to remove the OS X local user johndoe leaving its home folder behind. Then rename /Users/johndoe to /Users/jon to match the AD user shortname and allow the AD user to adopt this local home folder.

How might I accomplish this?

sardean
  • 833
  • 3
  • 14
  • 34
  • 1
    Would it not be easier to create the AD account and mv the contents of `/Users/johndoe` inton `/Users/john` then `chown -R` the files to the new user? – squareborg May 20 '14 at 20:58
  • Yeah that might be the best solution. I have been trying to figure out if it's possible to accomplish in one single action but haven't had any luck with my efforts. – sardean May 21 '14 at 00:55
  • This is something I'm going to need to deal with soon on my network. If you don't get any good answers in a couple days, I'll throw a healthy bounty on it to try and draw some attention to it. – EEAA May 22 '14 at 00:49
  • @EEAA awesome, glad to hear I'm not alone. I'll be testing all day in my lab environment tomorrow and update the question with my findings. – sardean May 22 '14 at 00:57
  • @dean - are you happy with the below answer? Seems like that might be as good as we're going to get. I'd like to award the bounty if you're happy. – EEAA May 28 '14 at 01:33
  • @EEAA yes, thank you very much for contributing the bounty. I will test out the MigrateLocalUserToADDomainAcct script later this week and share my findings. – sardean May 28 '14 at 02:44
  • @dean - OK. Keep in mind the bounty only has 2 days left... – EEAA May 28 '14 at 02:45
  • @EEAA feel free to award the bounty, I am satisfied with the answer. Thanks! – sardean May 28 '14 at 02:47
  • @dean - will do! – EEAA May 28 '14 at 02:50

1 Answers1

3

You can certainly do this, but unless you script it (see below) there's no single-step solution. The basic steps are going to be:

  1. Bind the Mac to AD.
  2. Delete the local account, but leave the home folder alone. This can be done from the command line with dscl, or in System Preferences -> Users & Groups (just be sure to select "Don't change the home folder").
  3. Rename the home folder to the AD account's name.
  4. Change ownership to the AD account's UID number. Use chown -R for this, not the Finder (it doesn't give you enough control over what's being changed).

...so, you really want to script this process. The good news is that it's been done. AFP548.com has a couple of scripts that handle step 1, and Rich Trouton's MigrateLocalUserToADDomainAcct.command script (based on one by Patrick Gallagher) handles steps 2-4. If you want to make it a true single-step process, you'll have to splice them together yourself.

Gordon Davisson
  • 11,036
  • 3
  • 27
  • 33