JAMF Nation, hosted by JAMF Software, is a dynamic and knowledgeable community of Apple-focused IT admins and Casper Suite users. Join us in person, in October, for the annual JAMF Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

CCT Badge
10

change local account to managed mobile

Posted: 4/9/15 at 12:02 PM by tcandela

some local users have home folders based on their netid. So now the computer will get AD BOUND, what is the best way to get these local accounts from local to managed mobile ?

I deleted the account, leaving the home folder
renamed it mv /Users/bob (deleted) /Users/bob
sudo chown -R bob:"domain\Domain Users" /Users/bob

now the user is managed mobile, BUT then also admin !! why is it getting set as admin?

on one computer this worked fine, user was just managed mobile, then on another computer it also set the user as Admin

10
CCA Badge

SOLVED Posted: 4/9/15 at 12:08 PM by RobertHammen

In your AD binding, do you have "Allow Administration By" and valid groups specified there? Check with Directory Utility.

By any chance are the users members of one of these groups?

CCT Badge

Posted: 4/9/15 at 12:50 PM by tcandela

@RobertHammen - yes, I have 'allow administration by' and the user I am testing with is in that group. Is it because that user is in that group?

CCA Badge

Posted: 4/9/15 at 5:14 PM by hkabik

My workflow is as such:

dscl . delete /Users/USERNAME #Remove the current local user, leaving their home folder.

mv /Users/USERNAME /Users/TEMPUSERNAME #Change the home folder name to a temporary name.

cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/ #Navigate to cma directory.

./createmobileaccount -n username #Create the mobile account.

rm -r /Users/USERNAME #Remove the new home folder created by the mobile account creation.

mv /Users/TEMPUSERNAME /Users/USERNAME #Rename the old home folder back to the users short name.

chown -R USERNAME /Users/USERNAME #Assign ownership of the old home folder to the mobile user.

chmod -R 755 /Users/USERNAME #Set permissions for home folder.

rm -r /Users/USERNAME/Library/Keychains/ #Remove old keychains for user.

Dunno if it helps, but thats my process.

CCA Badge CCE Badge CJA Badge CMA Badge

Posted: 4/9/15 at 6:43 PM by jhbush1973

@tcandela I feel like @rtrouton has a script for this. I would check his GitHub

CCA Badge CCE Badge CJA Badge CMA Badge

Posted: 4/9/15 at 7:13 PM by rtrouton

The script @jhbush1973 may be thinking of is available from here:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_domain

CCT Badge

Posted: 4/9/15 at 9:13 PM by tcandela

I believe it might be what @RobertHammen might be pointing out.

I use that sudo chown -R bob:"mydomain\ domain users" / users/ bob

One time it worked for this user but I beleve since then this user was added to this 'allow administration by' group, the account is now getting admin rights. I'll remove the account from the group and see what happens

CCA Badge

Posted: 4/9/15 at 10:12 PM by RobertHammen

Yep, that will do it. Blessing in some environments, curse in another.

CCT Badge

Posted: 4/10/15 at 12:29 PM by tcandela

@RobertHammen - I checked the previous AD BOUND mac and the user in question was just 'managed mobile' and the 'allow administration by' was not set at the users group on this computer. Since then, the AD BIND settings have added the group (that the user is a member of) to 'allow administration by' and that looks why this user now is also being added as 'admin'

when i added the the group into the 'allow administration by' on the first computer that I bound and restarted, the user account then changed to 'admin' (keeping 'managed mobile')

Thanks @RobertHammen that was the cause.

In your AD binding, do you have "Allow Administration By" and valid groups specified there? Check with Directory Utility.

By any chance are the users members of one of these groups?

Posted: 4/10/15 at 3:03 PM by sfgcasper

You do have to be careful when doing this though. If your local UID is 501 and AD assigns a UID of 2101 then you may have permissions issues. I have to run a command like below when converting local to network accounts.

find -x / -user 501 -exec chown -hv 2101 {} \;

CCT Badge

Posted: 4/12/15 at 7:49 AM by tcandela

@sfgcasper thanks for the heads up , so far so good.

Could you give us some feedback on our Casper Suite releases?  This will be quick - we promise!