AD Username Alias clearing

TheSeans
New Contributor

With 10.10 I've started to notice that my username aliases for AD mobile accounts seem to randomly vanish.

We recently made the switch for our AD accounts to be namespace forest to append the domain at the start of the username to fullfill a request from our network department to help out with BYOD filtering.

To prevent having our users have to do DOMAINUN, I made a script that runs on first login to add their plain username as an alias. Everything was working great up till 10.10.3.

Has anyone else run into this? Or knows of a cleaner way to go about this, I'd love to hear it. Thanks.

1 ACCEPTED SOLUTION

davidacland
Honored Contributor II
Honored Contributor II

If its a mobile account, isn't it just re-caching the account details when its connected to the domain, and therefore replacing your mod to the RecordName attribute?

Not sure if its new behaviour or why it didn't do it in 10.10.3.

The adjusted script could be run at each login and correct the record if the value is missing.

View solution in original post

8 REPLIES 8

davidacland
Honored Contributor II
Honored Contributor II

Could you share the commands you have been running at login to add the alias?

TheSeans
New Contributor

Sure. I warn you, this is dirty as heck. Due to the dang backslashes in the name I had to jump through hoops modifying the username to not include the DOMAIN when I set an alias. It should only ever create the alias once though.

The alias has also vanished from a machine I didn't run the script on, just hand added it through the user panel.

#!/bin/bash
#echo Get the current logged in user and store to $loggedinuser
loggedinuser=$(stat -f%Su /dev/console)

#Create a new variable to store the username, to add additional backslashes so they aren't read as a terminate line command. Store as $moddeduser
moddeduser=$(echo $loggedinuser | sed 's \ \\ g')

#Cut out the domain prefix on the username. Store as $cutuser
cutuser=$(echo $loggedinuser | cut -c 7-)

#Set a file in the default user profile to see if we've already added the alias so we don't spam add them.
file=/Users/$loggedinuser/Library/loginalias.txt

if [ -f $file ]
    then        
        #echo File exists, adding the user alias
        dscl . -append  /Users/"$moddeduser" RecordName $cutuser
        rm -v $file
    fi

davidacland
Honored Contributor II
Honored Contributor II

@TheSeans makes sense. Just trying out a modded version of the script, how many characters is the domain prefix you're cutting out?

TheSeans
New Contributor

@davidacland It is 5, and the backslash gets changed to two of them so it doesn't terminate the line so it ends up as 7.

davidacland
Honored Contributor II
Honored Contributor II

Not sure if it will fix the issue you're getting but this is working for me locally:

#!/bin/bash
# Get the current logged in user, remove DOMAIN and store to $loggedinuser
loggedinuser=$(stat -f%Su /dev/console | sed 's/.*\//')

# Check if the alias is already set
aliasSet=$(dscl . -read /Users/$loggedinuser RecordName | grep -c "$loggedinuser")

# If alias is present 0 times, add it
if [ $aliasSet == 0 ]; then
    dscl . -append  /Users/"$loggedinuser" RecordName $loggedinuser
fi

exit 0

TheSeans
New Contributor

I like your adjustment, much smoother than my mess. Thanks for the cleanup.

The script has been working for me, I've just had an alias that I know was there for weeks vanish. It seems to mostly happen when people bring their macbooks back from a weekend, or time off, but not consistently.

davidacland
Honored Contributor II
Honored Contributor II

If its a mobile account, isn't it just re-caching the account details when its connected to the domain, and therefore replacing your mod to the RecordName attribute?

Not sure if its new behaviour or why it didn't do it in 10.10.3.

The adjusted script could be run at each login and correct the record if the value is missing.

View solution in original post

TheSeans
New Contributor

Looks like you were right David. I was able to replicate it by changing the amount of time it allowed the account to stay before re-caching. Thanks for the suggestion.