How to offline add a domain user to a mac

tjosey
New Contributor III

I'm working through some remote support issues for macs, and stuck on this one. Mac is remote, and has to use a VPN to connect to the domain. Normally, after the machine joins the domain (no problem - I connect with the VPN and join) I log off as the local user then login as the domain user. Then I create a mobile account and all's well.

However, because the connection to the VPN drops once the local user is logged out, you can not login as a domain user because it can't look it up on the domain.

With Windows, we get around this issue by using "Change User" which doesn't actually log off the local user and doesn't break the VPN connection to the domain. I don't see how to accomplish this on a Mac, and because we support remote users with Macs, we need to be able to set them up on the domain.

One thing I tried was to create a local account using the domain ID/password, then login with it, connect to the VPN/domain, then tick "mobile account" but for that type of account it does not give a mobile option.

I also tried turning on Fast Switching (users) and selecting 'other user' and trying to log in then, but it won't allow it - apparently that breaks the VPN connection too (or perhaps Fast Switching requires an established account).

Thoughts? We just us OS Catalina

53 REPLIES 53

bcbackes
Contributor III

@efil4xiN What I don't understand is if you have the AD users credentials already, you can login as that user and create their account right then and their. In my company, we are not permitted to share credentials, so, this poses a problem for me. I was hoping the script somehow queried AD and pulled the users password in automatically, but, that doesn't seem to be the case here. Or, I'm missing something....

H3144-IT
Contributor II

Would it not work to run the Equivalent to "GPupdate /Force" on a Win Machine - which would be "mcxrefresh"

https://www.jamf.com/jamf-nation/discussions/9352/ot-mac-equivalent-of-gpoupdate-force

Since the Domain User is known in the Active Directory but not yet on the Client Computer?!

Because it was noted, that a VPN Connection is being used - updating the approved, known Users should make this work, no?

efil4xiN
Contributor II

@bcbackes My bad, I forgot to state that we also do not share user information. The Mac is shipped to the user with a one time use standard account. They login connect to VPN and add their AD account to Mac.

bcbackes
Contributor III

@efil4xiN So, do you have some script that runs to remove that "one time use standard account"? Or, are you saying you are creating a local account with their username, and a dummy password. Then, there's a script to convert it from a local account to a mobile account and then they are prompted to sync their password with AD?

Curious on your workflow. I'm looking into moving to Jamf Cloud. I think once I'm there, then, this will all be a mute point for me. Thanks!

njavier
New Contributor

Has anyone ever use the Mac Built-in VPN (VPN Cisco IPSec). Setup Authentication Settings with your ASA Firewall "Share Secret" and Group Name if setup, add Server Address, account Name. I have been using it join computer to domain before installing JAMF while logged on as local admin account. After enrolling to JAMF and installed all our Standard Apps log back in as local admin connect to the Built-in VPN > Logout (using this VPN IPsec stays connected to VPN Network) > Log in to user's domain account.

markopolo
Contributor

I can't get this working under Big Sur now. Anyone else? Just stalls out and never launches the dialog. Jamf doesn't even show the policy has having been run.

UPDATE: User error, had old password hardcoded into script. :)

mani2care
Contributor

@strayer liked it as expected this command long time finally found it thanks once again.

i can see one thing if mobile user/AD user logged in after a month user AD account password was changed but still, the machine working with old password is there any chance to check every login and do a reminder to change the password as like?

can help for the script development.

jaugust
New Contributor III

I accomplished this by logging in to a mac, activating the VPN connection, and enabling fast user switching and was able to put my account on a machine offsite. This was on an Apple Silicon, Big Sur Macbook Pro.

efil4xiN
Contributor II

Hi All,
We had to update the script because techs were having issues( I adopted it from the previous admin). I took what we could and made a few updates:

sudo -H -u $ADuser touch /Users/$ADuser/Documents/image.txt
sudo -H -u $ADuser echo "This Mac was Filevaulted on $DATE" > /Users/$ADuser/Documents/image.txt

sudo -H will run as the user in the user's workspace, so just a check to make sure the creds are cached ( and you get a file you could query later)

/usr/bin/dscl . -change /Users/onetimeuselocaluseraccountnamehere UserShell /bin/zsh /sbin/nologin

This will lock the standard account used to login and setup the user AD account on reboot

This now working 100%.

jwojda
Valued Contributor II

Thank you all for posting this, it's amazing. It did create the account, but does not seem to have generated the secure token as expected so the new account can't log in from the FV screen

% sudo sysadminctl -secureTokenStatus <redacted>
Password:
2021-05-21 15:06:02.632 sysadminctl[655:6512] Secure token is DISABLED for user <redacted>

efil4xiN
Contributor II

@jwojda

The account enabling Filevault must be a secureToken holder

Jason33
Contributor III

Wow, this thread helped me out in a MAJOR way.  Kudo's to everyone involved

SwissArmyKit
New Contributor

Hello, Hope I might get an answer to this older thread. I've followed the steps above and found success a few months ago, however - I now am running into an issue I can't seem to get around. I'm getting an error when trying to create the mobile account. I'll share the steps I am doing to make this possible. 

 

1. Setup & Connect to VPN

2. Set DNS to company IP and domain

3. Bind to the company domain through Users & Groups

4. Open Terminal and run the below script and get the following error. 

For the admin username/password and the 'user to add' username/password, I enter those each in their own quotes due to special characters. Yes, I do not include the '$' in the command either. 

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a "$adminUser" -U "$adminPass" -n "$userToAdd" -p "$userPass"

I then get prompted with the below and enter a quotation mark

dquote> "

I then get prompted for the admin password, and enter that.. Afterwards, I get the below message. 

*** error: "-n username" is a required argument

usage: createmobileaccount -n username [-h homepath] [-P | [-p password]] [[[-a username] [-U password]] | [-D]] [-v] [-V]
-n username : user record name.
-h homepath : user home path; Default is "/Users/<username>".
-p password : user password.
-P : prompt for user password.
-a username : opt SecureToken enabled admin user name.
-U password : opt SecureToken enabled admin user password.
-D : don't prompt for SecureToken enabled admin information.
-v : verbose output.
-V : version.

Examples:
createmobileaccount -n jsmith
createmobileaccount -v -P -n jsmith
createmobileaccount -vxn jsmith -h /Volumes/HD3/jhome

Notes:
- createmobileaccount must run as root.
- If you do not specify a password, the account's cached password will be created during the account's first log in.
- On encyrpted APFS volumes, an existing admin SecureToken user name and password is required in order for this account to be used at the EFI login window.
- External accounts are no longer supported as of 10.15.
- The old FileVault encrypted home directory mechanism (using -e) no longer works in 10.13 or later (but was only removed here in 10.15).

 

I've also tried the command without specifing the userpass (-p) and also tried putting the 'user to add' credentials in front of the admin credentials. 

Any advise would be greatly appreciated. 

Also, update your DNS information to communicate with the respective DC.

System Preferences >> Network >> Select the network connection ex: Wi-Fi >> Advance >> DNS >> Under Search Domain add your DNS entries.  This should work for you