Active Directory Username Change

moojomoore
New Contributor III

We have a staff member that has just gotten married and now has a name change. I have never had to deal with this before within Active Directory and not sure how to proceed. Our username convention is the first letter of the first name and the full last name, ie. jdoe. If I were to change the username and name within Active Directory for this person what will it all affect? Is this the best method to do this, or should I be creating a new Active Directory user account? How do I change the mobile account username on their laptop to reflect this new username and name while keeping files, settings, etc. intact?

2 ACCEPTED SOLUTIONS

jjones
Contributor II

In AD, you can change their username without having to create a new account. The tricky part is if the person logs into a mac or windows machine.

Windows machines iirc XP and up use UUID's to address the user, making name changes typically seamless.
Mac machines however do not use microsoft's UUID structure.

In order to remedy this, you have to:
1. Go to /Users/usernamehere and change the username to newusernamehere_current
2. Go to system preferences and delete the user profile
3. Have user login using newly changed username
4. Logout and log into admin account
5. Delete newly created /username file, rename /Users/newusernamehere_current to current /Users/username
6. Open terminal and do: (This will give all appropriate permissions to the new username. )

sudo chown -Rv usernamehere /Users/newusername
  1. Have user log into system with new account, if it asks about a keychain, click create new keychain.

View solution in original post

maxbehr
Contributor II

@jjones is absolutely correct. I would note in my experience you can streamline the process by doing the following:

  1. Login with your admin account and delete the user account, when prompted choose the option to keep the user profile
  2. Open terminal and type in sudo mv /Users/old_user_name /Users/new_user_name
  3. next sudo chown -Rv new_user_name /Users/new_user_name
  4. Log out and have the user login (assuming the password hasn't changed, then the keychain will still be valid and unlock)

View solution in original post

6 REPLIES 6

jjones
Contributor II

In AD, you can change their username without having to create a new account. The tricky part is if the person logs into a mac or windows machine.

Windows machines iirc XP and up use UUID's to address the user, making name changes typically seamless.
Mac machines however do not use microsoft's UUID structure.

In order to remedy this, you have to:
1. Go to /Users/usernamehere and change the username to newusernamehere_current
2. Go to system preferences and delete the user profile
3. Have user login using newly changed username
4. Logout and log into admin account
5. Delete newly created /username file, rename /Users/newusernamehere_current to current /Users/username
6. Open terminal and do: (This will give all appropriate permissions to the new username. )

sudo chown -Rv usernamehere /Users/newusername
  1. Have user log into system with new account, if it asks about a keychain, click create new keychain.

maxbehr
Contributor II

@jjones is absolutely correct. I would note in my experience you can streamline the process by doing the following:

  1. Login with your admin account and delete the user account, when prompted choose the option to keep the user profile
  2. Open terminal and type in sudo mv /Users/old_user_name /Users/new_user_name
  3. next sudo chown -Rv new_user_name /Users/new_user_name
  4. Log out and have the user login (assuming the password hasn't changed, then the keychain will still be valid and unlock)

cbrewer
Valued Contributor II

I was just about to echo what @maxbehr said.

Our process involves 2 steps. 1) We run a dscl . delete /Users/username command to delete the cached account. 2) We mv the Home Directory so it's directory name matches the new username. In my experience that's all you have to do. Have the user log back in.

FastGM3
Contributor

I found this process a while back that doesn't involve moving or deleting users data

Enable the root account if it is not already enabled
open the “Directory Utility” either from SystemLibraryCoreServices or System Preferences -> Accounts -> Login Options -> Edit -> Open Directory Utility
From the “edit” menu choose “Enable Root User”
Enter in the password “whatever” for the root account
Log out and login as root

Once logged in turn on hidden files from the terminal

defaults write com.apple.finder AppleShowAllFiles true/false
killall Finder

Browse to folder /var/db/dslocal/nodes/Default/users
Look for the plist file associated with the old user account
Make a copy on the desktop just to be safe
Rename the file to match the new user name
Open the file with a plist editor, do a find (old username)/replace (new username) to change the user name entries in the plist
Save the plist file
Go to the Users folder and update the name of the home folder
From the terminal run the following command to verify that the new plist file is recognized
Dscl . list users
If not then double-check the plist file name
Log out and then login under the new account name and verify everything works.

You may also need to reset the Keychain as well.
Go back to the “Directory Utility” and disable the root account

rtrouton
Valued Contributor III

I have a script that can assist with this process:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_d...

It's designed to migrate a local account to a mobile AD account, but it can also be used to migrate from one mobile AD account to another mobile AD account.

atomczynski
Valued Contributor

Can I use this method:

Login with your admin account and delete the user account, when prompted choose the option to keep the user profile
Open terminal and type in sudo mv /Users/old_user_name /Users/new_user_name
next sudo chown -Rv new_user_name /Users/new_user_name
Log out and have the user login (assuming the password hasn't changed, then the keychain will still be valid and unlock)

If I'm using FileVault?
The device will be 10.13.x or 10.14.x
(Ms AD) Managed, Mobile account