rename user account with script at loginwindow

I'll be watching this closely. How are you dealing with FV2 login?

I'm going to revive this thread, because I'm facing a similar issue. In the org I work in, contractors have specific usernames that start with a different character (followed by 6 numbers) than full time employees. Once someone gets converted from contract to full time, we will have to migrate their existing user account from the old to the new, which means renaming their account. Everyone has to log into their computers using their official domain account name/password.

I'm trying to figure out an effective way to accomplish this. On top of the expected complexities, there is FV2 at play as well, which will make things... interesting.

Has anyone tackled this yet and come up with a smooth way to do it that doesn't involve physically touching the machine, since this won't always be possible with far flung remote workers?

@mm2270 I don't have a reason to implement anything like this but I typically find that if you're asking how to do something, I'll probably run into a similar issue in a year or two or three...ok, four. lol

@mm2270 We have developed and application for similar purpose.

The Groupe acquires agencies and we need to integrate the devices into our Jamf and one of the tasks is to convert either the AD account (old domain/and unbind it) or a non-standard named one to the the official account in our AD system.
This app converts the logged account to the official account (local) and we use Enterprise Connect to sync the passwords to AD.

The app is run by the end users so little IT intervention is required (all we ask is for the users to read the BIG print - always backup your data!) and FileVault is updated to reflect that too.

In terms of PPPC we had to allow loads of commands as SIP prevents/restricts any scripting touching the user's home directory.
There is a Configuration Profile in Jamf for this job and the app scopes the device in and out of that profile.

We are having a high success rate but on a world of IT it is never smooth and we have some issues.
Having said that, this enables us to get the job done anywhere as far they can reach the Jamf!

The image below shows what we did for the app's configuration profile.

I'd be happy to help revisit some things I was working on a few years back to do just this. Specifically, I was migrating accounts on the fly. (local to local) by, essentially deleting the DSCL record, renaming the users home directory (While snagging credentials from the Enterprise Connect keychain entry as we're non-bound) and then creating a new user with that directory. The issue at hand just comes down to the fact that the new user account needs to be created by an account that already has a secure token. Not that this is news to you of course, and I highly doubt that any info in the cobbled together script will help, but aside from the FV2 issues, it did work well enough though if I were to revisit this, I would really change how I am gaining access to the keychain. But the need was quick so I just borrowed something JAMF put together for transitioning old Mobile accounts to Local accounts and stuck several forks in it at odd angles until it was functional.

1#!/bin/sh
2####################################################################################################
3#
4# ABOUT
5#
6#   Convert Mobile Account to Local Account
7#   Based on: https://jamfnation.jamfsoftware.com/discussion.html?id=12462#responseChild73117
8#
9#   This script is designed to remove a mobile user account and re-create
10#   a local account with the same username and the password from user-input.
11#   It will also give read/write permissions to the user's home folder.
12#
13####################################################################################################
14#
15# HISTORY
16#
17#   Version 1.0, 28-Apr-2016, Dan K. Snelson
18#   Version 1.1, 02-May-2016, Dan K. Snelson
19#       Removed code and verbiage about the user's keychain
20#   Version 1.2, 03-May-2016, Dan K. Snelson
21#       Fixed error when no users with 5nn UID existed
22#   Version 1.2 Brewster Edition 27-July-2018, Chris Hafner
23#       Modified to allow account conversion from personal local, to EC User local account.
24#
25
26####################################################################################################
27# Import general functions
28source /Users/Shared/Client-Side-Functions.sh
29####################################################################################################
30
31ScriptLog "###############################################"
32ScriptLog "### Convert Personal Local Account to Brewsterized Local Account ###"
33ScriptLog "###############################################"
34
35### Variables
36loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
37");'`
38UserUID=`/usr/bin/dscl . read /Users/"${loggedInUser}" UniqueID | grep UniqueID: | cut -c 11-`
39userRealName=`/usr/bin/dscl . -read /Users/"${loggedInUser}" | /usr/bin/grep RealName: | cut -c11-`
40user_home_location=`/usr/bin/dscl . -read /Users/"${loggedInUser}" NFSHomeDirectory 2>/dev/null | /usr/bin/sed 's/^[^/]*//g'`
41
42# Echo variables
43ScriptLog "Variables ..."
44ScriptLog "* loggedInUser=${loggedInUser}"
45ScriptLog "* UserUID=${UserUID}"
46ScriptLog "* userRealName=${userRealName}"
47ScriptLog "* adminStatus=${userIsAdmin}"
48ScriptLog "* ec_user=${ec_user}"
49
50#This will set the "admiStatus" to nothing in all circumstances. I've just left the line here in case I change my mind later. Proper adminStatus would be -admin for a non-standard user.
51if [[ $(/usr/bin/dsmemberutil checkmembership -U "${loggedInUser}" -G admin) != *not* ]]; then
52    adminStatus=""
53    userIsAdmin="Yes"
54else
55    adminStatus=""
56    userIsAdmin="No"
57fi
58
59if [[ -d "/Applications/Enterprise Connect.app" ]]; then
60    /usr/bin/security find-generic-password -l "Enterprise Connect" "${user_home_location}"/Library/Keychains/login.keychain > /dev/null 2>&1
61    if [[ $? -eq 0 ]]; then
62        ec_user=`/usr/bin/security find-generic-password -l "Enterprise Connect" | grep "acct" | awk -F "=" '{print $2}' | tr -d """`
63        ec_userPW=`/usr/bin/security find-generic-password -l "Enterprise Connect" -w`
64    fi
65fi
66
67#Rename home directory
68ScriptLog "* Moving Home Directory ..."
69mv $user_home_location /Users/$ec_user
70
71# Delete the currently logged-in user account
72ScriptLog "* Deleting ${loggedInUser} account from client-side directory ..."
73sysadminctl -deleteUser "$loggedInUser" -keepHome
74
75Gets the current highest user UID
76ScriptLog "* Discovering the highest available UID ..."
77maxid=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)
78
79        if [ -z ${maxid} ]; then
80            newid=501
81        else
82            newid=$((maxid+1))
83        fi
84
85# Create local user account ...
86ScriptLog "* Create ${loggedInUser} local account in client-side directory ..."
87/usr/sbin/sysadminctl -addUser "${ec_user}" -fullName "${ec_user}" -UID "${newid}" -password "${ec_userPW}" -home "/Users/${ec_user}" "${adminStatus}"
88
89# Reset ownership on home directory and append location
90ScriptLog "* Correct permissions for ${loggedInUser} ..."
91/usr/sbin/chown -R "${ec_user}":staff /Users/"${ec_user}"
92
93#This would delete the user's keychain folder if uncommented
94#ScriptLog "* Delete ${loggedInUser} keychain ..."
95#/bin/rm -Rf /Users/"${ec_user}"/Library/Keychains/*
96
97#Sleep for five seconds ..."
98ScriptLog "* Sleep for five seconds ..."
99/bin/sleep 5
100
101# Force logout
102ScriptLog "* Force logout ..."
103/bin/ps -Ajc | /usr/bin/grep loginwindow | /usr/bin/awk '{print $2}' | /usr/bin/xargs /bin/kill -9
104
105ScriptLog "---"
106ScriptLog "- $loggedInUser account converted from personal to stu###"
107ScriptLog "---"
108
109
110exit 0

Generally, my plan was to separate the process from the initial onboarding, where I would eventually get an account with the proper credentials... but we decided it wasn't worth the continued development time. In your case, you should have secure token on a management account yes?

Thought I'd post some thoughts related to this here. 

Regardless of your scenario where you want to rename or replace an existing account's name, this seems to be a deliverable gap currently. Apple Support no doubt would just ask why https://support.apple.com/en-us/HT201548 isn't good enough? While dated, this script https://community.spiceworks.com/scripts/show/4409-mac-account-rename-script-username-home-directory-display-name seemed promising but hits error -14120 (eDSPermissionError) on attempting to change the NFSHomeDirectory. 

I suspect the "rightApple way" to do this now is with sysadminctl -deleteUser -keepHome followed by sysadminctl -addUser -home but we all know that's fraught with Secure Token and user auth prompt troubles such that we've all shied away from actually just trying and getting it done. 

Anyone every manage to come up with a solution for this? Working on a script at the moment, but running into issues. All changes happen and initially appeared fine but my user is no longer able to change their password as a standard user which I suspect is related to Secure Token, even though sysadminctl shows that its still enabled for the user.

​@CiaranCoghlan its probably best to make your own post then dig up a 5 year old post and respond. Generally speaking you dont want to change user account attributes, macOS maps a lot of things to the user identity and changing any of this has a very high chance of breaking the user account. If you need to rename the account, just delete it and have the user make a new account.