Local user account and domain account have the same name.... Can't log on with domain account

Bernard_Huang
Contributor III

Hi all,

A bit of a weird one.

Here's the scenario:
- A user creates a local account within Macbook. Let's say the name is "John"
- We have now domain joined this Macbook so users can log on with the AD account
- When this person, who's domain account name is John, tries to log onto the Macbook, it does not create a new profile. Instead, it thinks it's already found "John" locally, and therefore does not create the domain account within the Macbook.

Hope the above case make sense. Anyone can think of a way to log on with the domain account without deleting the existing local account?

6 REPLIES 6

mikeh
Contributor II

Here's a question for you: when "John" logs into the machine, which account password works? The local account or domain account?

At any rate, I'm suspecting that only John's local account password works, not the domain account. I believe that local accounts are matched first, and then domain accounts. You might be able to edit the search order in the Directory Utility application, but don't quote me on that.

You can try asking the user to specify the domain as part of his login name: domainjohn, john@domain, etc. This might not be ideal for the user, but at least you can verify that the domain account actually works. Assuming there's no problem with the user's home directory because there is a "john" account in multiple domains, that is!

mm2270
Legendary Contributor III

Yes, this makes sense. The way logins work is that the Mac will always default to the local node for an account login, then to external domains, like AD. If you have an account with the same name, there isn't a way for the OS to know by simply typing in "John" in the username field that you mean "John from AD" not "John in the local node" Since it found "John" in the /Local/Default node, it logs in to that account.

Off the top of my head, I can't really think of a way to fool the OS into logging in with an AD account if they are named the same. You're probably going to have to rename the local account to something else I think. Maybe someone else has a better idea though.

Bernard_Huang
Contributor III

Thank you @mikeh & @mm2270

Yes, it's only allowing me to log in with the local account's password. When trying the domain account password, it gets rejected. hmmmm.... My task is to migrated everyone off their local account and onto their domain account. This is going to be a blocker.

Thanks again :)

mm2270
Legendary Contributor III

@Bernard.Huang It's possible to do what you're looking for, but you're likely going to have to script something, and maybe even make use of a one time LaunchDaemon.
The solution to this issue is that the local account needs to be deleted from the local domain (the home folder will not be touched) and then the AD account needs to be created using the createmobileaccount binary. When accounts are created with that binary they come from Active Directory, so they understand they are paired up with a directory account, not from the local node.
You can, in a script, pair up the user's existing home directory with their AD cached mobile account and when they log in that same home folder will get used.

If you need some guidance on how you might accomplish all this, post back and I can see about putting together a framework for this.
You could also do some searches on migrating from local to domain accounts here as I'm almost certain there are a couple of existing threads that talk about the process. One of them may give you the start you need.

jason_bracy
Contributor III

So this is a fairly easy fix. Here are the steps:

  1. Login with a local admin account
  2. Go to "System Preferences --> Users and Groups"
  3. Delete your account, but select the option to leave the home folder
  4. In the Finder go to /Users/ and change the name of the deleted user folder from "user (Deleted)" to "user"
  5. In the terminal enter the following command:
  6. sudo chown -R user:"Domain Users" /Users/user/
  7. Log out and log in as user with your domain password
  8. You will need to sync your keychain password or delete the keychain

FlameCoder
New Contributor

Will this work on Mac OS 12.5 intel based chipset?

Can you better explain step 6 using say a domain user jwick ?

Would it be: sudo chown -R jwick."Domain Users" /Users/user/