Jamf Nation Community

tcandela · ‎04-09-2015

some local users have home folders based on their netid. So now the computer will get AD BOUND, what is the best way to get these local accounts from local to managed mobile ?

I deleted the account, leaving the home folder
renamed it mv /Users/bob (deleted) /Users/bob
sudo chown -R bob:"domainDomain Users" /Users/bob

now the user is managed mobile, BUT then also admin !! why is it getting set as admin?

on one computer this worked fine, user was just managed mobile, then on another computer it also set the user as Admin

RobertHammen · ‎04-09-2015

In your AD binding, do you have "Allow Administration By" and valid groups specified there? Check with Directory Utility.

By any chance are the users members of one of these groups?

View solution in original post

RobertHammen · ‎04-09-2015

In your AD binding, do you have "Allow Administration By" and valid groups specified there? Check with Directory Utility.

By any chance are the users members of one of these groups?

tcandela · ‎04-09-2015

@RobertHammen - yes, I have 'allow administration by' and the user I am testing with is in that group. Is it because that user is in that group?

hkabik · ‎04-09-2015

My workflow is as such:

dscl . delete /Users/USERNAME #Remove the current local user, leaving their home folder.

mv /Users/USERNAME /Users/TEMPUSERNAME #Change the home folder name to a temporary name.

cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/ #Navigate to cma directory.

./createmobileaccount -n username #Create the mobile account.

rm -r /Users/USERNAME #Remove the new home folder created by the mobile account creation.

mv /Users/TEMPUSERNAME /Users/USERNAME #Rename the old home folder back to the users short name.

chown -R USERNAME /Users/USERNAME #Assign ownership of the old home folder to the mobile user.

chmod -R 755 /Users/USERNAME #Set permissions for home folder.

rm -r /Users/USERNAME/Library/Keychains/ #Remove old keychains for user.

Dunno if it helps, but thats my process.

jhbush · ‎04-09-2015

@tcandela I feel like @rtrouton has a script for this. I would check his GitHub

rtrouton · ‎04-09-2015

The script @jhbush1973 may be thinking of is available from here:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_local_user_to_AD_d...

tcandela · ‎04-09-2015

I believe it might be what @RobertHammen might be pointing out.

I use that sudo chown -R bob:"mydomain domain users" / users/ bob

One time it worked for this user but I beleve since then this user was added to this 'allow administration by' group, the account is now getting admin rights. I'll remove the account from the group and see what happens

RobertHammen · ‎04-09-2015

Yep, that will do it. Blessing in some environments, curse in another.

tcandela · ‎04-10-2015

@RobertHammen - I checked the previous AD BOUND mac and the user in question was just 'managed mobile' and the 'allow administration by' was not set at the users group on this computer. Since then, the AD BIND settings have added the group (that the user is a member of) to 'allow administration by' and that looks why this user now is also being added as 'admin'

when i added the the group into the 'allow administration by' on the first computer that I bound and restarted, the user account then changed to 'admin' (keeping 'managed mobile')

Thanks @RobertHammen that was the cause.

In your AD binding, do you have "Allow Administration By" and valid groups specified there? Check with Directory Utility.

By any chance are the users members of one of these groups?

sfgcasper · ‎04-10-2015

You do have to be careful when doing this though. If your local UID is 501 and AD assigns a UID of 2101 then you may have permissions issues. I have to run a command like below when converting local to network accounts.

find -x / -user 501 -exec chown -hv 2101 {} ;

tcandela · ‎04-12-2015

@sfgcasper thanks for the heads up , so far so good.

Jamf Nation Community

change local account to managed mobile