Jamf Nation Community

Assuming the user directory is the same for both local/LDAP accounts

sudo dscl . delete /Users/$(username)
sudo chown -R $(username):"$(domain_group_name)

Then have the end user login with their LDAP creds.

Three things
1.What if the home folder shortname doesn't match the AD account? 2.My local account for users (not localadmin) is unable to be removed, its greyed out. How do I remove this account?
3.Additionally, can you provide more detailed instructions on how to use chown -R command?

sounds like you have FV enabled. I would do the following:

1) Create a tmp FV enabled user ($USERNAME and $PASSWORD are the local account that is already FV Enabled)

FVtmpUserPASSWORD="PutInAPassWordHere"
    FVtmpUser="fvtmpuser"
    /usr/sbin/sysadminctl -adminUser $USERNAME -adminPassword $PASSWORD -addUser $FVtmpUser -fullName $FVtmpUser -password $FVtmpUserPASSWORD -UID 456 -home /private/tmp/$FVtmpUser

2) delete user without deleting home dir

/usr/sbin/sysadminctl -adminUser $FVtmpUser -adminPassword $FVtmpUserPASSWORD -deleteUser $USERNAME -keepHome

3) Rename home dir to AD username
4) Change ownership of the home dir to the AD username:

sudo chown -R adusername /Users/adusername

5) be hardwired and login as the ADUser
6) Add new ADUser to FV Enabled Users

/usr/sbin/sysadminctl -adminUser $FVtmpUser -adminPassword $FVtmpUserPASSWORD -secureTokenOn $USERNAME -password -

7) delete tmp account

/usr/sbin/sysadminctl -adminUser $ADUsername -adminPassword $ADUserPASSWORD -deleteUser $FVtmpUser

This is assuming you already have the computer joined to the domain.

We are having great luck with this script: https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/migrate_local_user_to_AD_d...

We have our techs logging in to the admin account and running a policy trigger in the command line. It checks if the machine is bound, communicating with domain controllers, etc. No need to migrate data with this.

Hope it works for you, good luck!

@pz205m Rename the home folder and chown to the new name. FYI use the man command from terminal to get help. Also if you aren't familiar with this already then I would recommend not mucking around with it.

Have you looked at this before have been using it for quite some time in my environment and seems to work will to convert a local account to a AD/Mobile user. With the only issue sometimes being keychain sync issues to which I just delete/recreate the ~/Library/Keychains folder

Script can be found here

Does this still work in Catalina?

For Microsoft Active Directory this should be the sudo chown -R User ID:Group
User ID & Group can be found from the System Preferences>Users & Groups. The advanced options for the Active Directory Account you are trying to convert. You may need to logon to a domain-joined mac to get this.

The problem I'm experiencing at my new job is that there are a lot of user accounts that are authenticating through AD but they are just creating local accounts. I need to find a way to convert them to AD accounts. Using a laptop I was given, I used a throwaway account for testing and I saw that it was authenticating using AD credentials but was only a Local account as verified by the UID of 508. This account was one of a handful of local IDs with UIDs between 501 and 510. I deleted the account from System Preferences as well as the home folder. dscl showed no sign of that account (as far as I could tell). I then made sure the Directory Utility app was configured properly to use Mobile Accounts instead. I rebooted, and logged in as the throwaway account. When I got logged in I went to System Preferences and saw that the UID was still exactly the same as before 508. I know a proper AD UID would be a much longer number. Somehow the Mac is still remembering the old username and UID. How do I make the computer completely forget about the old info and force it to use the AD account info so it can create a proper Mobile Account? If I login as an AD account that as never existed on this computer before then it is created properly as a Mobile Account. The problem only happens with accounts that have already existed on a particular Mac. I've seen this in the past before but it was something I had time and resources to just wipe & reinstall to fix. Now it's become an actual problem with Mojave and Catalina since I no longer have the time and resources needed to wipe and reinstall.

AVmcclint, I ran into this the other day with Catalina. It was still doing this even after removing the AD binding and then rebinding. What I realized though was that if you delete the user, do the AD unbind/rebind and then restart the Mac. At that point I was able to map the AD user to the old folder as the owner since even going through and manually adding it through the get info window was still showing the old user otherwise. I then logged in with the said AD account and was able to go on about business as usual since it then tied the AD account correctly to the AD UID instead of a local.