change local account to managed mobile

@RobertHammen - yes, I have 'allow administration by' and the user I am testing with is in that group. Is it because that user is in that group?

My workflow is as such:

dscl . delete /Users/USERNAME #Remove the current local user, leaving their home folder.

mv /Users/USERNAME /Users/TEMPUSERNAME #Change the home folder name to a temporary name.

cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/ #Navigate to cma directory.

./createmobileaccount -n username #Create the mobile account.

rm -r /Users/USERNAME #Remove the new home folder created by the mobile account creation.

mv /Users/TEMPUSERNAME /Users/USERNAME #Rename the old home folder back to the users short name.

chown -R USERNAME /Users/USERNAME #Assign ownership of the old home folder to the mobile user.

chmod -R 755 /Users/USERNAME #Set permissions for home folder.

rm -r /Users/USERNAME/Library/Keychains/ #Remove old keychains for user.

Dunno if it helps, but thats my process.

@tcandela I feel like @rtrouton has a script for this. I would check his GitHub

The script @jhbush1973 may be thinking of is available from here:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_domain

I believe it might be what @RobertHammen might be pointing out.

I use that sudo chown -R bob:"mydomain domain users" / users/ bob

One time it worked for this user but I beleve since then this user was added to this 'allow administration by' group, the account is now getting admin rights. I'll remove the account from the group and see what happens

Yep, that will do it. Blessing in some environments, curse in another.

@RobertHammen - I checked the previous AD BOUND mac and the user in question was just 'managed mobile' and the 'allow administration by' was not set at the users group on this computer. Since then, the AD BIND settings have added the group (that the user is a member of) to 'allow administration by' and that looks why this user now is also being added as 'admin'

when i added the the group into the 'allow administration by' on the first computer that I bound and restarted, the user account then changed to 'admin' (keeping 'managed mobile')

Thanks @RobertHammen that was the cause.

In your AD binding, do you have "Allow Administration By" and valid groups specified there? Check with Directory Utility.

By any chance are the users members of one of these groups?

You do have to be careful when doing this though. If your local UID is 501 and AD assigns a UID of 2101 then you may have permissions issues. I have to run a command like below when converting local to network accounts.

find -x / -user 501 -exec chown -hv 2101 {} ;

@sfgcasper thanks for the heads up , so far so good.