How to offline add a domain user to a mac

New Contributor III

I'm working through some remote support issues for macs, and stuck on this one. Mac is remote, and has to use a VPN to connect to the domain. Normally, after the machine joins the domain (no problem - I connect with the VPN and join) I log off as the local user then login as the domain user. Then I create a mobile account and all's well.

However, because the connection to the VPN drops once the local user is logged out, you can not login as a domain user because it can't look it up on the domain.

With Windows, we get around this issue by using "Change User" which doesn't actually log off the local user and doesn't break the VPN connection to the domain. I don't see how to accomplish this on a Mac, and because we support remote users with Macs, we need to be able to set them up on the domain.

One thing I tried was to create a local account using the domain ID/password, then login with it, connect to the VPN/domain, then tick "mobile account" but for that type of account it does not give a mobile option.

I also tried turning on Fast Switching (users) and selecting 'other user' and trying to log in then, but it won't allow it - apparently that breaks the VPN connection too (or perhaps Fast Switching requires an established account).

Thoughts? We just us OS Catalina


Contributor II

Would it not work to run the Equivalent to "GPupdate /Force" on a Win Machine - which would be "mcxrefresh"

Since the Domain User is known in the Active Directory but not yet on the Client Computer?!

Because it was noted, that a VPN Connection is being used - updating the approved, known Users should make this work, no?

New Contributor III

@bcbackes My bad, I forgot to state that we also do not share user information. The Mac is shipped to the user with a one time use standard account. They login connect to VPN and add their AD account to Mac.


@efil4xiN So, do you have some script that runs to remove that "one time use standard account"? Or, are you saying you are creating a local account with their username, and a dummy password. Then, there's a script to convert it from a local account to a mobile account and then they are prompted to sync their password with AD?

Curious on your workflow. I'm looking into moving to Jamf Cloud. I think once I'm there, then, this will all be a mute point for me. Thanks!

New Contributor

Has anyone ever use the Mac Built-in VPN (VPN Cisco IPSec). Setup Authentication Settings with your ASA Firewall "Share Secret" and Group Name if setup, add Server Address, account Name. I have been using it join computer to domain before installing JAMF while logged on as local admin account. After enrolling to JAMF and installed all our Standard Apps log back in as local admin connect to the Built-in VPN > Logout (using this VPN IPsec stays connected to VPN Network) > Log in to user's domain account.

New Contributor III

I can't get this working under Big Sur now. Anyone else? Just stalls out and never launches the dialog. Jamf doesn't even show the policy has having been run.

UPDATE: User error, had old password hardcoded into script. 🙂


@strayer liked it as expected this command long time finally found it thanks once again.

i can see one thing if mobile user/AD user logged in after a month user AD account password was changed but still, the machine working with old password is there any chance to check every login and do a reminder to change the password as like?

can help for the script development.

New Contributor III

I accomplished this by logging in to a mac, activating the VPN connection, and enabling fast user switching and was able to put my account on a machine offsite. This was on an Apple Silicon, Big Sur Macbook Pro.

New Contributor III

Hi All,
We had to update the script because techs were having issues( I adopted it from the previous admin). I took what we could and made a few updates:

sudo -H -u $ADuser touch /Users/$ADuser/Documents/image.txt
sudo -H -u $ADuser echo "This Mac was Filevaulted on $DATE" > /Users/$ADuser/Documents/image.txt

sudo -H will run as the user in the user's workspace, so just a check to make sure the creds are cached ( and you get a file you could query later)

/usr/bin/dscl . -change /Users/onetimeuselocaluseraccountnamehere UserShell /bin/zsh /sbin/nologin

This will lock the standard account used to login and setup the user AD account on reboot

This now working 100%.

Valued Contributor II

Thank you all for posting this, it's amazing. It did create the account, but does not seem to have generated the secure token as expected so the new account can't log in from the FV screen

% sudo sysadminctl -secureTokenStatus <redacted>
2021-05-21 15:06:02.632 sysadminctl[655:6512] Secure token is DISABLED for user <redacted>

New Contributor III


The account enabling Filevault must be a secureToken holder