Skip to main content

My university is just starting to get serious about managing our Mac fleet, so I've taken on a new role in our central IT office.



We have central print servers and central file shares and such, but everything has (until now) been delivered via Group Policy. Basically, if you didn't have a Windows machine, you had to do everything by hand.



In order to utilize those Active Directory Security Groups that are being used for Windows deployment, the Mac users need to be bound to AD, and then their local accounts need to be converted to mobile accounts. I found a few scripts that helped with this endeavor (thanks again @rtrouton), but I could never find anything that quite fit my needs, so I wrote a couple scripts to do what I needed. I figure that if I had a need, someone else does as well.



I've created a Github repository with scripts to perform an AD binding where where are dozens of potential OUs as referenced in https://jamfnation.jamfsoftware.com/discussion.html?id=12629#responseChild73850 as well as migrating user accounts.



Currently, the repo only consists of bindMachineToActiveDirectory.sh and migrateLocalUserToADDomainUser.sh, but I will be adding more as I create them. Both scripts are usable in Self Service.



Hopefully this helps someone.

Thanks for sharing this. I just wanted to share my initial experience with your migrateLocalUserToADDomainUser.sh. I've been storing CocoaDialog.app in /Library/Application Support/JAMF/bin. The script fails if I include to escape the space. And it hangs and eventually fails if I leave the space as is. It works fine when CocoaDialog is in a directory with out spaces in the name. I probably don't need to store this app in the jamf bin folder anyways but just wanted to share.



Thanks @msblake issue resolved in version 2.1

I usually have it in /Applications/Utilities, so my testing didn't have a space in it. I'll play around and adjust the code to fix as soon as I get a minute.



Update: @rickwhois Variable escaping appears to be fixed.

I'll daisy chain on here with my own offer. I created a GUI tool to migrate a profile from a local account, to an AD account. It will also add the AD use to FileVault, which was a requirement for us, and give admin rights as needed. It's designed so that an end user can bind themselves via Policy, then this tool auto-opens for migration.
https://github.com/tmhoule/ProfileMigration
We've had some issues like DropBox needed to be redirected after moving the home directory, but nothing major.

Forgive my inexperience, looking at your bindMachineToActiveDirectory.sh script I noticed you add your Macs to security groups in AD. Do you restrict login per such security groups as well?

These are groups of users that are granted administrative privileges to machines in certain OUs.

I know this info is a bit old. I was testing this out and found that if the local user name is the same as the AD user name it does not show up in the list of accounts that can be migrated. Just wondering if you have seen this or if it is a 10.11.6 issue? Works fine with different account names.



I also can't figure out how the local accounts are validated?
If I have a local account called BSmith and I have an AD account called BSmith how is the local account verified that it is local?



Thanks

All AD accounts have a UID above 1024 and all local accounts are below 1024.

Got it, Thanks! Not sure why my local account is not showing up. Will continue poking around.

Are you currently logged into it? Is it hidden?



I can't think of any other scenarios off the top of my head.

Odd. My local account has a guid over 1024. Must have been left behind somehow while I was testing.
Thanks for the info and the script.



Cheers.

Can anyone confirm if this still works on "El Capitan" or higher. It said it ran successfully but when I logged out and try to log in it says it cannot create the mobile account and locate /Users/domainname folder"

Reply


Terms & ConditionsCookie settings