- Jamf Nation Community
- Products
- Jamf Pro
- Taking over a new company issues
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Taking over a new company issues
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2012 06:13 PM
Hi Guys,
have a bit of a fun one that hopefully someone might have come across in the past.
We have recently acquired a new company that has merged with another of mine.
predominantly mac which is good, we have been supporting them for a little while and I have pushed out the important stuff via casper.
I have come across a new issue, which can be done manually, but of course i would like to automate this with Casper over the 70+ machines, as I only have 1 technician onsite.
all the macs are bound to the old companies AD, which has been decomissioned.
the user accounts are all mobile accounts.
i was wondering if there was a way to convert the user account to a local account and unbind the machine from the old AD via casper.
there was a script in the resource kit to unbind the machines from AD, but without a valid network account and using the local admin account to try and force unbind doesnt seem to work. the script returns the prompt to hit Y to force unbind but cycles through and doesnt unbind.
without being efficient in scripting my efforts havent been successful.
so basically a two part question,
how can we automate converting a network account to a local account?
and
how can i automate the unbinding of a mac without the network admin account?
Thanks guys, any suggestions would be appreciated!
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2012 08:32 PM
after a mind blank i used -r -f to force the unbind, this will now unbind the machine with a local admin account.
Now i just need to somehow automate the mobile accounts to local accounts...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2012 02:02 AM
Russell,
The mobile accounts are already local, at least everything you sync is. Where does the local version of the account exist on these machines? /Users maybe?
If your AD server is configured to have the local home account in the same place as the current location, then no work there, you just need to remove the managed preferences for home syncing. Otherwise you can just run a move command to put them where your AD server thinks they should be.
uid of the local accounts may need to be changed to match the new id on your AD server if these differ.
Sean
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2012 08:20 AM
in the past, i've used variations of this (below) to migrate from OD to OD with mobile accounts. rich trouton has something similar in his repo.
i haven't touched this in awhile. it's quick and dirty. adapt as you see fit.
https://github.com/rockpapergoat/scripts/blob/master/opendirectory/unbind_rebind_createmobile.rb
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2012 10:06 AM
Hey Russell,
So, mobile accounts have a few unique things about them. Typically their UID is greater than 1,000, their home folder lives on a network share, but is synchronized with the local home folder, and they authenticate against some sort of Domain Server and "cache" their credentials locally.
I suppose the UID isn't a huge deal. I use it for logic in script writing when dealing with local and network accounts. There are a lot of methods of doing this. Personally, I do not delete old accounts, I move them (rename them) and once everything is tested, tried, and true then I play clean up afterwards if it is necessary.
I think, you would probably be OK if you just unbound the machine, and changed their home folder path to the local home folder and left everything else out. Of course, this is something I have not tested, so please test this out in your environment before you deploy it.
So, my local home folder lives here:
$ dscl . read /Users/tlarkin NFSHomeDirectory
NFSHomeDirectory: /Users/tlarkinIf you were a mobile account, you would see the FQDN of the network share and the spare point of where the home folder lives. You could change this path so the user record always points to the local home folder path.
If you want to delete the mobile accounts and create local and migrate data over, it is possible but there are lots of caveats when doing so. So, if that is something you want to accomplish I could recommend a few things for you to consider when executing such a work flow.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-25-2012 04:13 PM
Thanks for your replies guys!
currently looking at scripting with one of my guys to unbind, rename the account and bind to our AD.
just testing now.
thanks for the info!
if anyone might want this script if they need it please let me know and ill post it once finished testing.
Cheers
