Posted on 04-27-2016 01:24 PM
So we are setting up a new domain and migrating from 2 previous domains and I'm trying my best to script this correctly so the migration is smooth. I set this up as a policy on logout. So first I do a force unbind:
dsconfigad -force -remove
Then I have it rebind with the casper directory binding we created for the new domain.
Then I have it fix the user permissions for the new domain:
chown -R $3:"domain users" /Users/$3
Then I set the 14day timeout in OS X to 0:
dsconfigad -passInterval 0
My problem is that when all is said and done, everything appears to have correctly run, however at the login screen, when you login as that user again, it just pinwheels and never logs in. When you do a hard reboot though, it works fine. So I added a reboot to the script at the end, but it still just hangs.
Any ideas?
Gabe Shackney
Princeton Public Schools
Solved! Go to Solution.
Posted on 04-27-2016 02:04 PM
OK, so one thing to look at when talking about AD mobile accounts, is the OriginalAuthenticationAuthority value in the local account.
dscl . read /Users/username OriginalAuthenticationAuthority
That may have information from the old domain. I assume the new domain has a new name. Personally if I were doing this, I'd probably remove the local cached account (leaving the old home dir) and recreate it using createmobileaccount. And then pair up the new correct account with the user's previous home folder. More scripting, but it should be more reliable since it will be making the account in local dir services from the new domain.
Posted on 04-27-2016 01:33 PM
A few questions for you. Are we talking about cached AD mobile accounts here? Also, were user accounts migrated to the new domain exactly as they were in the old domain, like same UID and everything?
Posted on 04-27-2016 01:41 PM
Ah, good question, I believe it is the same UID since we are doing a migration using Microsoft's tools. Its AD mobile accounts yes. And so far we are just testing this first, so we are just migrating test accounts that yes should be the same in both old and new domain.
Gabe Shackney
Princeton Public Schools
Posted on 04-27-2016 02:04 PM
OK, so one thing to look at when talking about AD mobile accounts, is the OriginalAuthenticationAuthority value in the local account.
dscl . read /Users/username OriginalAuthenticationAuthority
That may have information from the old domain. I assume the new domain has a new name. Personally if I were doing this, I'd probably remove the local cached account (leaving the old home dir) and recreate it using createmobileaccount. And then pair up the new correct account with the user's previous home folder. More scripting, but it should be more reliable since it will be making the account in local dir services from the new domain.
Posted on 05-23-2016 11:10 AM
Thanks....I'm looking at the deletion of the local account but leaving the folder, then using createmobileaccount using the info passed during logout $3. I think some others have migrated domains as well so I'll check if there might be an easier way.
Gabe Shackney
Princeton Public Schools