4

We have deployed a new Windows Server 2012 Active Directory infrastructure for an environment that previously contained no central mechanism for user authentication. All client computers are Mac OS X 10.9 Mavericks that use local accounts. My objective is to retain the data in the local user accounts stored in /Users but allow the AD user to gain ownership so the local accounts can be decommissioned. The home folders will remain local - they will not be network or mobile homes.

For example: A computer has a local account with shortname johndoe and matching home folder /Users/johndoe. I create a new user in Active Directory with shortname john. I want to be able to remove the OS X local user johndoe leaving its home folder behind. Then rename /Users/johndoe to /Users/jon to match the AD user shortname and allow the AD user to adopt this local home folder.

How might I accomplish this?

sardean
  • 853

1 Answers1

3

You can certainly do this, but unless you script it (see below) there's no single-step solution. The basic steps are going to be:

  1. Bind the Mac to AD.
  2. Delete the local account, but leave the home folder alone. This can be done from the command line with dscl, or in System Preferences -> Users & Groups (just be sure to select "Don't change the home folder").
  3. Rename the home folder to the AD account's name.
  4. Change ownership to the AD account's UID number. Use chown -R for this, not the Finder (it doesn't give you enough control over what's being changed).

...so, you really want to script this process. The good news is that it's been done. AFP548.com has a couple of scripts that handle step 1, and Rich Trouton's MigrateLocalUserToADDomainAcct.command script (based on one by Patrick Gallagher) handles steps 2-4. If you want to make it a true single-step process, you'll have to splice them together yourself.

Gordon Davisson
  • 11,621