Help

Migrating from 2 Domains to 1 Need script help

Go to solution
GabeShack
Valued Contributor II

Posted on β€Ž07-11-2016 07:25 AM

Hi all,
So we are currently moving from 2 domains to one, where each had different username.

What I'm looking to do is script the move so it renames the existing user folder to what the new login will be.

So Essentially, Unbind from old domain, delete the dscl record, (keep mobile user folder)
rebind to new domain, then prompt user for the new username (this will be techs running the migrate)
use the new username to rename the users old folder, then apply the correct permissions to that folder using the new username. then probably a restart im guessing.

Been playing with a script from @stevewood that has some things that will work. But just need the rename piece and the prompt for new user name

#!/bin/sh

# Name:  moveDomains.sh
# Date:  28 May 2014 v1.0
# Updated: 18 Jun 2014 v1.1
# Author:  Steve Wood (swood@integer.com)
# Purpose:  used to move users from one AD domain to a new one, or from OD to AD
# Updates:  v1.1 - set GroupID to static
#   - v1.1 - including message to users using jamfhelper
#           - adding code to check for domain membership
# Prequisites:  You'll need a policy in your JSS 

# Globals & Logging 
LOGPATH='<WHERE YOU STORE LOGS>'  # change this line to point to your local logging directory
if [[ ! -d "$LOGPATH" ]]; then
    mkdir $LOGPATH
fi
set -xv; exec 1> $LOGPATH/movedomainslog.txt 2>&1  # you can name the log file what you want
version=1.1
oldAD='*****.internal'
currentAD=`dsconfigad -show | grep -i "active directory domain" | awk '{ print $5 }'`

# let the user know what we are doing

banner=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Moving Domains" -heading "Moving Domains Header" -description "We are moving your user account to the new authentication domain.  When we are completed, and your computer restarts, you will be able to login to your computer with your new domain credentials." -button1 "Proceed" -button2 "Not Now" -defaultButton 1 -cancelButton 2 -timeout 60 -countdown` 

if [[ $banner == "2" ]]; then

    echo "User canceled the move."
    exit 1

fi

# Grab current user name
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

##### if you do not have OD deployed you can remove the follwing lines
# unbind from LDAP
# sinc there is no easy way to determine if bound to OD, we will just run against our OD for good measure

dsconfigldap -r *****.internal
#####

# unbind from AD
# check to see if we are bound to our current AD or not.  If not we can skip this

if [[ "$currentAD" = "$oldAD" ]]; then

    # remove the config for our old AD
    # you need a user in your AD that has the rights to remove computers from the domain

    dsconfigad -remove $oldAD -user <******> -pass <*******>   

fi

# remove the local user from the machine so we get the proper UID assigned in dscl
dscl . delete /Users/$loggedInUser

# bind to new AD
# using a JAMF policy to bind to the new AD

jamf policy -id **** # can also use a custom trigger for the policy

# reset permissions
### some of the code below is courtesy of Ben Toms (@macmule)

###
# Get the Active Directory Node Name
###
adNodeName=`dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

###
# Get the Domain Users groups Numeric ID
###

domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain Users | grep PrimaryGroupID | awk '{ print $2}'`

accountUniqueID=`dscl "$adNodeName" -read /Users/$loggedInUser 2>/dev/null | grep UniqueID | awk '{ print $2}'`


chown -R $accountUniqueID:$domainUsersPrimaryGroupID /Users/$loggedInUser

# restart the computer when done
# to make sure everything is working properly we will restart

shutdown -r now

:

Gabe Shackney
Princeton Public Schools
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
stevewood
Honored Contributor II

Posted on β€Ž07-11-2016 08:58 AM

@gshackney I would use CocoaDialog to ask the tech for the new user name during the process. You can also use AppleScript to ask for the user name, and there are plenty of examples here on JAMF Nation of that method.

Once you have the new user name, you can use the mv command to move the home folder to the new name. I cobbled the below together and assumed the default path of /Users/<userfolder>. To be more correct, you should probably use dscl to locate the home folder path of the logged in user BEFORE removing from dscl, and then use that to move the home folder.

Once moved, you change the permissions.

Here is what I came up with. You'll see the two sections of code #### Get NEW user name and ##### Change the name of the home folder. I also changed the variable being called in the accountUniqueID and the actual chown call. Oh, and I also added back in the CD variable for the location of cocoaDialog.

I DID NOT test this, so TEST, TEST, TEST, and TEST some more:

#!/bin/sh

# Name:  moveDomains.sh
# Date:  28 May 2014 v1.0
# Updated: 18 Jun 2014 v1.1
# Author:  Steve Wood (swood@integer.com)
# Purpose:  used to move users from one AD domain to a new one, or from OD to AD
# Updates:  v1.1 - set GroupID to static
#   - v1.1 - including message to users using jamfhelper
#           - adding code to check for domain membership
# Prequisites:  You'll need a policy in your JSS 

# Globals & Logging 
LOGPATH='<WHERE YOU STORE LOGS>'  # change this line to point to your local logging directory
if [[ ! -d "$LOGPATH" ]]; then
    mkdir $LOGPATH
fi
set -xv; exec 1> $LOGPATH/movedomainslog.txt 2>&1  # you can name the log file what you want
version=1.1
oldAD='*****.internal'
currentAD=`dsconfigad -show | grep -i "active directory domain" | awk '{ print $5 }'`
CD="/private/var/inte/bin/cocoaDialog.app/Contents/MacOS/cocoaDialog"  ####  set this to the location of cocoaDialog on your systems


# let the user know what we are doing

banner=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Moving Domains" -heading "Moving Domains Header" -description "We are moving your user account to the new authentication domain.  When we are completed, and your computer restarts, you will be able to login to your computer with your new domain credentials." -button1 "Proceed" -button2 "Not Now" -defaultButton 1 -cancelButton 2 -timeout 60 -countdown` 

if [[ $banner == "2" ]]; then

    echo "User canceled the move."
    exit 1

fi

# Grab current user name
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

##### if you do not have OD deployed you can remove the follwing lines
# unbind from LDAP
# sinc there is no easy way to determine if bound to OD, we will just run against our OD for good measure

dsconfigldap -r *****.internal
#####

# unbind from AD
# check to see if we are bound to our current AD or not.  If not we can skip this

if [[ "$currentAD" = "$oldAD" ]]; then

    # remove the config for our old AD
    # you need a user in your AD that has the rights to remove computers from the domain

    dsconfigad -remove $oldAD -user <******> -pass <*******>   

fi

# remove the local user from the machine so we get the proper UID assigned in dscl
dscl . delete /Users/$loggedInUser

# bind to new AD
# using a JAMF policy to bind to the new AD

jamf policy -id **** # can also use a custom trigger for the policy

#### Get NEW user name
#### Use CocoaDialog to ask the tech to enter the new user name for the end user.
newUserName=`$CD standard-inputbox --informative-text "Please enter the new user name:" --float`
### CocoaDialog adds a numerical value at the begining of the result. Using awk to strip
newUserName=`echo $newUserName | awk '{ print $2 }'`

##### Change the name of the home folder
mv /Users/$loggedInUser /Users/$newUserName

# reset permissions
### some of the code below is courtesy of Ben Toms (@macmule)

###
# Get the Active Directory Node Name
###
adNodeName=`dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

###
# Get the Domain Users groups Numeric ID
###

domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain Users | grep PrimaryGroupID | awk '{ print $2}'`

accountUniqueID=`dscl "$adNodeName" -read /Users/$newUserName 2>/dev/null | grep UniqueID | awk '{ print $2}'`


chown -R $accountUniqueID:$domainUsersPrimaryGroupID /Users/$newUserName

# restart the computer when done
# to make sure everything is working properly we will restart

shutdown -r now

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
stevewood
Honored Contributor II

Posted on β€Ž07-11-2016 08:58 AM

@gshackney I would use CocoaDialog to ask the tech for the new user name during the process. You can also use AppleScript to ask for the user name, and there are plenty of examples here on JAMF Nation of that method.

Once you have the new user name, you can use the mv command to move the home folder to the new name. I cobbled the below together and assumed the default path of /Users/<userfolder>. To be more correct, you should probably use dscl to locate the home folder path of the logged in user BEFORE removing from dscl, and then use that to move the home folder.

Once moved, you change the permissions.

Here is what I came up with. You'll see the two sections of code #### Get NEW user name and ##### Change the name of the home folder. I also changed the variable being called in the accountUniqueID and the actual chown call. Oh, and I also added back in the CD variable for the location of cocoaDialog.

I DID NOT test this, so TEST, TEST, TEST, and TEST some more:

#!/bin/sh

# Name:  moveDomains.sh
# Date:  28 May 2014 v1.0
# Updated: 18 Jun 2014 v1.1
# Author:  Steve Wood (swood@integer.com)
# Purpose:  used to move users from one AD domain to a new one, or from OD to AD
# Updates:  v1.1 - set GroupID to static
#   - v1.1 - including message to users using jamfhelper
#           - adding code to check for domain membership
# Prequisites:  You'll need a policy in your JSS 

# Globals & Logging 
LOGPATH='<WHERE YOU STORE LOGS>'  # change this line to point to your local logging directory
if [[ ! -d "$LOGPATH" ]]; then
    mkdir $LOGPATH
fi
set -xv; exec 1> $LOGPATH/movedomainslog.txt 2>&1  # you can name the log file what you want
version=1.1
oldAD='*****.internal'
currentAD=`dsconfigad -show | grep -i "active directory domain" | awk '{ print $5 }'`
CD="/private/var/inte/bin/cocoaDialog.app/Contents/MacOS/cocoaDialog"  ####  set this to the location of cocoaDialog on your systems


# let the user know what we are doing

banner=`/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Moving Domains" -heading "Moving Domains Header" -description "We are moving your user account to the new authentication domain.  When we are completed, and your computer restarts, you will be able to login to your computer with your new domain credentials." -button1 "Proceed" -button2 "Not Now" -defaultButton 1 -cancelButton 2 -timeout 60 -countdown` 

if [[ $banner == "2" ]]; then

    echo "User canceled the move."
    exit 1

fi

# Grab current user name
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

##### if you do not have OD deployed you can remove the follwing lines
# unbind from LDAP
# sinc there is no easy way to determine if bound to OD, we will just run against our OD for good measure

dsconfigldap -r *****.internal
#####

# unbind from AD
# check to see if we are bound to our current AD or not.  If not we can skip this

if [[ "$currentAD" = "$oldAD" ]]; then

    # remove the config for our old AD
    # you need a user in your AD that has the rights to remove computers from the domain

    dsconfigad -remove $oldAD -user <******> -pass <*******>   

fi

# remove the local user from the machine so we get the proper UID assigned in dscl
dscl . delete /Users/$loggedInUser

# bind to new AD
# using a JAMF policy to bind to the new AD

jamf policy -id **** # can also use a custom trigger for the policy

#### Get NEW user name
#### Use CocoaDialog to ask the tech to enter the new user name for the end user.
newUserName=`$CD standard-inputbox --informative-text "Please enter the new user name:" --float`
### CocoaDialog adds a numerical value at the begining of the result. Using awk to strip
newUserName=`echo $newUserName | awk '{ print $2 }'`

##### Change the name of the home folder
mv /Users/$loggedInUser /Users/$newUserName

# reset permissions
### some of the code below is courtesy of Ben Toms (@macmule)

###
# Get the Active Directory Node Name
###
adNodeName=`dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

###
# Get the Domain Users groups Numeric ID
###

domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain Users | grep PrimaryGroupID | awk '{ print $2}'`

accountUniqueID=`dscl "$adNodeName" -read /Users/$newUserName 2>/dev/null | grep UniqueID | awk '{ print $2}'`


chown -R $accountUniqueID:$domainUsersPrimaryGroupID /Users/$newUserName

# restart the computer when done
# to make sure everything is working properly we will restart

shutdown -r now

View solution in original post

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.