Posted on 11-21-2013 10:55 AM
This isn't a JSS/JAMF issue, but thought I would throw this out there to see if I can get some help with an issue we have.
Our Active Directory Policy I set up in the JSS to bind our systems to Active Directory does have the “Create mobile account at login” checked marked, so that when we hand off the users new system they login with their domain login and would be able to change their domain password in System Preference and also have the ability to have them be notified that their password is about to change.
I recently found out that a member of the hardware team who hands off a users new Mac, has been creating their domain account locally and also creating a local password. The users are then instructed to change the local password to match their domain password. The issue I am finding now is that when the user needs to change their domain password, it does not synch to active directory, causing the user to have to use two passwords and not getting the password expire notifications.
Anyone happen to know how to fix this without deleting their local account? I am aware that the account can be deleted and keep the home folder, but I was hoping to find away to just make the password to sync.
Solved! Go to Solution.
Posted on 11-21-2013 11:34 AM
You want to delete their local account. Anything else will be a less-than-ideal workaround.
Posted on 11-21-2013 12:32 PM
To follow along with the general chorus, you'll want to migrate that account to a mobile AD account. I've got a script available that helps migrate a local user to an AD user available here:
Posted on 11-21-2013 11:34 AM
You want to delete their local account. Anything else will be a less-than-ideal workaround.
Posted on 11-21-2013 11:44 AM
You may be able to try something tricky with
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount
BUT AlexDale is correct, the best way is to remove the user, leaving the home folder intact, and having the user log in as a mobile account and re-claim the home folder.
Posted on 11-21-2013 11:59 AM
Agreed. Although it might be possible to finagle or fool the system into believing the old local account is actually a domain account, I seriously wouldn't do it. You are bound to have odd issues from anything other than doing it the right way,
Posted on 11-21-2013 12:32 PM
To follow along with the general chorus, you'll want to migrate that account to a mobile AD account. I've got a script available that helps migrate a local user to an AD user available here:
Posted on 11-21-2013 01:08 PM
Thanks guys! I really appreciate the feed back! rtrouton thanks! worked like a charm!