- Jamf Nation Community
- Products
- Jamf Pro
- Re: Bind to Active Directory and Migrate Local Use...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Bind to Active Directory and Migrate Local User Account to AD Account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2014 06:19 PM
My university is just starting to get serious about managing our Mac fleet, so I've taken on a new role in our central IT office.
We have central print servers and central file shares and such, but everything has (until now) been delivered via Group Policy. Basically, if you didn't have a Windows machine, you had to do everything by hand.
In order to utilize those Active Directory Security Groups that are being used for Windows deployment, the Mac users need to be bound to AD, and then their local accounts need to be converted to mobile accounts. I found a few scripts that helped with this endeavor (thanks again @rtrouton), but I could never find anything that quite fit my needs, so I wrote a couple scripts to do what I needed. I figure that if I had a need, someone else does as well.
I've created a Github repository with scripts to perform an AD binding where where are dozens of potential OUs as referenced in https://jamfnation.jamfsoftware.com/discussion.html?id=12629#responseChild73850 as well as migrating user accounts.
Currently, the repo only consists of bindMachineToActiveDirectory.sh and migrateLocalUserToADDomainUser.sh, but I will be adding more as I create them. Both scripts are usable in Self Service.
Hopefully this helps someone.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2014 10:05 AM
Thanks for sharing this. I just wanted to share my initial experience with your migrateLocalUserToADDomainUser.sh. I've been storing CocoaDialog.app in /Library/Application Support/JAMF/bin. The script fails if I include to escape the space. And it hangs and eventually fails if I leave the space as is. It works fine when CocoaDialog is in a directory with out spaces in the name. I probably don't need to store this app in the jamf bin folder anyways but just wanted to share.
Thanks @msblake issue resolved in version 2.1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-22-2014 10:09 AM
I usually have it in /Applications/Utilities, so my testing didn't have a space in it. I'll play around and adjust the code to fix as soon as I get a minute.
Update: @rickwhois Variable escaping appears to be fixed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-23-2014 07:09 AM
I'll daisy chain on here with my own offer. I created a GUI tool to migrate a profile from a local account, to an AD account. It will also add the AD use to FileVault, which was a requirement for us, and give admin rights as needed. It's designed so that an end user can bind themselves via Policy, then this tool auto-opens for migration.
https://github.com/tmhoule/ProfileMigration
We've had some issues like DropBox needed to be redirected after moving the home directory, but nothing major.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-23-2014 09:54 AM
Forgive my inexperience, looking at your bindMachineToActiveDirectory.sh script I noticed you add your Macs to security groups in AD. Do you restrict login per such security groups as well?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-23-2014 10:55 AM
These are groups of users that are granted administrative privileges to machines in certain OUs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2016 12:05 PM
I know this info is a bit old. I was testing this out and found that if the local user name is the same as the AD user name it does not show up in the list of accounts that can be migrated. Just wondering if you have seen this or if it is a 10.11.6 issue? Works fine with different account names.
I also can't figure out how the local accounts are validated? If I have a local account called BSmith and I have an AD account called BSmith how is the local account verified that it is local?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2016 12:12 PM
All AD accounts have a UID above 1024 and all local accounts are below 1024.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2016 12:16 PM
Got it, Thanks! Not sure why my local account is not showing up. Will continue poking around.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2016 12:20 PM
Are you currently logged into it? Is it hidden?
I can't think of any other scenarios off the top of my head.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2016 12:41 PM
Odd. My local account has a guid over 1024. Must have been left behind somehow while I was testing. Thanks for the info and the script.
Cheers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-03-2017 07:36 AM
Can anyone confirm if this still works on "El Capitan" or higher. It said it ran successfully but when I logged out and try to log in it says it cannot create the mobile account and locate /Users/domainname folder"
