AD Account Migration-From one domain to another

cbooker
New Contributor III

I need help figuring out how to transfer existing user accounts from one domain to another domain. In Mac OS 10.7.4.

I am able to successfully bind a Mac computer (running 10.7.4) to our new domain. But then the existing user accounts (from the old domain) can no longer be accessed while the computer is bound to the new domain. How do I transfer the existing user accounts to the new domain???

8 REPLIES 8

donmontalvo
Esteemed Contributor III

The UID/GID for that user's home directory are specific to the old domain, so you'll need to change owner:group for it to work with the new domain.

If the user's short name didn't change, it should be a simple matter of:

sudo chown -R <domain-user>:<new-domain-group> /Users/<domain-user>

This will update the UID/GID for the new domain. Just can't be logged in as the user while running the command, and the usual spiel about dealing with locked files.

If the user's short name did change, you'll need to change the home directory folder name first:

sudo mv /Users/<old-domain-user> /Users/<new-domain-user>

Then run the chmod command

Don

--
https://donmontalvo.com

brent_slater
New Contributor

Hi Don,

Will this command be the same for Leopard and Snow Leopard?

I will be migrating about 40 odd macs in a couple of weeks and I will need to ensure that the users get their home folder and preferences migrated also

jmb03012
New Contributor III

I actually have a project going on right now where we are migrating from one domain to another and were trying to see if we could automate the majority of the process. We were able to get the unbind, bind, and a few other things all scripted, only problem we had was the account owner needs to be change.

I figured that every mobile account has a UniqueID >1000 so if I wrote a script to query that, it would protect any local accounts and allow the script to hit multiple accounts on the machine.

Oddly enough, the same syntax doesnt work on 10.6 as does on 10.7 and 10.8 when pushed via Casper although it does if you manually type it in terminal, very odd. Ended up needing to use ' vs " in the 10.6 version.

Ultimately, we came up with the following scripts which will query for all clients with a UniqueID >1000, then for each user in that list, delete the user account from the OS and Directory Services while preserving the home directory, then change the owner to our New Domain (vs Staff since they are not local accounts).

Would love to know what you guys think. Thanks! - Jordan

10.6 Version

#!/bin/sh

#Create a list of mobile user accounts who always have a UniqueID of greater than 1000
mobileuserList=`dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}'`

for mobileuser in $mobileuserList ; do

echo "Resetting $mobileuser Owner Permissions"
sudo dscl . delete /Users/$mobileuser
sudo chown -R $mobileuser:'DELTADomain Users' /Users/$mobileuser


done

10.7_10.8 Version

#!/bin/sh

#Create a list of mobile user accounts who always have a UniqueID of greater than 1000
mobileuserList=`dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}'`

for mobileuser in $mobileuserList ; do

echo "Resetting $mobileuser Owner Permissions"
sudo dscl . delete /Users/$mobileuser
sudo chown -R $mobileuser:"DELTADomain Users" /Users/$mobileuser


done

bentoms
Release Candidate Programs Tester

If the mac is bound to the 2nd domain & the users home folder is named as per the users AD username try:http://macmule.com/2013/02/18/correct-ad-users-home-mobile-home-folder-permissions/

Even if you have multiple accounts, it'll work.

jmb03012
New Contributor III

@bentoms I had actually come across this when I first started researching the issue, but ran into some issues.

The way our AD is set up, the nodes and group that ultimately was the owner was not the phone I needed. When I ran the command that gets the domain and group name in terminal manually, I got a list and based on the results after the script, looks like the script is pulling the first name from the list which is alphabetical, unfortunately thats not the proper domain these clients are on.

donmontalvo
Esteemed Contributor III

We had a project recently where we had to move users from namespace domain to namespace forest. Users were all on 10.7 and we were trying to get them onto 10.8. There was a mix and match, with some computers set to namespace domain and some set to namespace forest. So we had to set up a policy scoped to the computers that had namespace domain accounts (/Users/ACMEjdoe and /Users/CORPjdoe), delete their account without deleting the home directory, then rename their home directory and finally rebind the compupter to namespace forest. When users logged on correctly, using only their short name, their home directory linked up without any hitches.

We found that using a combination of single quotes and double back slashes got it done for us.

sudo dscl . delete '/Users/CORP\pwaldo'
sudo dscl . delete '/Users/CORP\swalcott'
sudo dscl . delete '/Users/ACME\jdoe'
sudo dscl . delete '/Users/ACME\bsmith'

and

sudo mv '/Users/CORP\pwaldo' /Users/pwaldo
sudo mv '/Users/CORP\swalcott' /Users/swalcott
sudo mv '/Users/ACME\jdoe' /Users/jdoe
sudo mv '/Users/ACME\bsmith' /Users/bsmith

Not sure how helpful this might be for your situation, but worth trying?

Don

--
https://donmontalvo.com

bentoms
Release Candidate Programs Tester

@jmb03012, sorry I'm not really following.

Can you give an example?

That's my blog, so I should be able to amend it for you.

jmb03012
New Contributor III

@bentoms

Sure, so I just took a lab machine running 10.8, unbound it and rebound it to our old domain. Then I logged into it with my AD account, logged out, unbound and rebound to the new domain. Then I ran your script which did run successful.

The issues however are the following:

I am able to log back into the account with no issue using my credentials on the new domain, however on first login I always get prompted by the Configuration Profile Tool for admin credentials because it wants to make a change. This is an issue because it doesn't make the process seamless for the enduser.

Once I authenticate, when I check the owner and permissions on my home directory, it has the wrong domain group as the owner. I have changed the names but assume for a moment our new domain is supposed to be Delta.lftltd.net which is what the new machine is bound to and therefore the new owner of this account should be "DELTADomain Users" however the owner is showing up as "GAMMADomain Users" Now we do have a Gamma.lftltd.net so I wanted to figure out how this was happening so I went back to the first part of your script to run some of the lines indvidualy to see what type of output they were getting.

When I run "dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/'" I get the following output:

Last login: Fri Nov 15 08:49:40 on console
C02JN1G8DKQ5:~ jordanbender$ dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/'
AppleMetaNodeLocation:
 /Active Directory/DELTA/gamma.lftltd.net
AppleMetaRecordName:
AppleMetaNodeLocation:
 /Active Directory/DELTA/omega.lftltd.net
AppleMetaRecordName:
AppleMetaNodeLocation:
 /Active Directory/DELTA/lftltd.net
AppleMetaRecordName:
AppleMetaNodeLocation:
 /Active Directory/DELTA/zeta.lftltd.net
AppleMetaRecordName:
AppleMetaNodeLocation:
 /Active Directory/DELTA/delta.lftltd.net
AppleMetaRecordName:
AppleMetaNodeLocation:
 /Active Directory/DELTA/alpha.lftltd.net
AppleMetaRecordName:
AppleMetaNodeLocation:
 /Active Directory/DELTA/beta.lftltd.net
AppleMetaRecordName:

As you can see, gamma.lftltd.net comes up first so I think thats what the script is picking up and passing along but we need to pick up Delta.

The second problem is it doesnt always pick up gamma or anything for that matter, we can consistently log in when we run your script, but its 50/50 whether we have the wrong owner of the account, or whether we get "Fetching" for the user and owner.