Updating local user account after employment change

RyanK
New Contributor II

Hello,

 

During Auto Device Enrollment the users local accounts are created using either E# (employee) or LC# (contractor). On occasion we have LC's come on as employees and switch from LC# to E#. So, the local user account stays as LC# and then all sorts of issues start to occur on the Mac.

 

In the past we have just wiped the mac and enrolled it again so it grabs their new E# account and leaves no trace of the LC#.

If I recall I've been told that running "sudo profiles renew -type enrollment" should fix it but I have not had that work for me.

Is there some way we can get the local user account to change from LC# to E# without erasing the Mac?

 

PS. I do go into our jamf instance and change the account there from LC# to E# by searching in our user database in jamf but this obviously does not correct the issue on the Mac.

4 REPLIES 4

mschlosser
Contributor II

interesting question, as i'm sure you know, there are advanced options that you can access for accounts, by right clicking on them in the gui, from there aliases can easily be added for login accounts. Please note this will not change, the name of the actual home directory, but they could use a new short name to login. The equal command to set up in jamf would be 

sudo dscl . -merge /Users/usernametoaddaliastoo RecordName <alias>

note: sudo is not necessary when sending commands from jamf.

AJPinto
Esteemed Contributor

Messing with user accounts properties is a very messy process on macOS. Where it is possible to change these attributes, there is a decent chance of corrupting the profile making these changes. Your best option by far is to have the user create a new account on the device and run a script to migrate files or change permissions so the user can move their own files.

RyanK
New Contributor II

Thanks very much @AJPinto and @mschlosser for the suggestions. 

I work in FinTech and our macs are locked down pretty tight so I'm not sure if they would even let me create a new account to migrate the files. They do not like it when we have more than one account. :D

 

I have a feeling the quickest and safest root as far as data retention goes is to have them backup what they need to our company OneDrive and then erase the mac to kick off the enrollment for their new EID.

Thanks again and I appreciate the replied.

a_hebert
Contributor

We use a script like this to change accounts.  The only thing is we havent tried it when the user is logged in we have another account that is logged into then the change is made.  The script is supposed to log the user out if it is run on the logged in user.

 

 

 

#!/bin/bash
# 
# Script to rename the username of a user account on MacOS
# 
# The script updates the users record name (username), RealName (displayName), and home directory
# 
# If the user receiving the name change is signed in they will be signed out. 
#
# 
#
# 
#
# NOTE: SCRIPT MUST BE RUN AS ROOT
# NOTE: SYSTEM WILL RESTART AFTER SUCCESSFUL NAME UPDATE
#
# Ensures that script is run as ROOT
if [[ "${UID}" != 0 ]]; then
	(echo >&2 "Error: $0 script must be run as root")
	exit 1
fi

# Ensures that the system is not domain bound
readonly domainBoundCheck=$(dsconfigad -show)
if [[ "${domainBoundCheck}" ]]; then
	 /usr/local/bin/jamf policy -event unbindad
	exit 1
fi

# Ensures that parameters are entered
#if [[ ${#} -ne 2 ]]; then
#	echo "Usage: $0 oldUserName newUserName"
#	exit 1
#fi

oldUser=$(/usr/bin/osascript -e 'Tell application "System Events" to display dialog "Please enter a Old Username or select Cancel." default answer "Firstname_Lastname"' -e 'text returned of result' 2>/dev/null)
newUser=$(/usr/bin/osascript -e 'Tell application "System Events" to display dialog "Please enter a New Username or select Cancel." default answer "Firstname_Lastname"' -e 'text returned of result' 2>/dev/null)

# Test to ensure logged in user is not being renamed
readonly loggedInUser=$(ls -la /dev/console | cut -d " " -f 4)
if [[ "${loggedInUser}" == "${oldUser}" ]]; then
	echo "Cannot rename active GUI logged in user. Log in with another admin account and try again."
	exit 1
fi

# Verify valid username
if [[ -z "${newUser}" ]]; then
	echo "New user name must not be empty!"
	exit 1
fi

# Test to ensure account update is needed
if [[ "${oldUser}" == "${newUser}" ]]; then
	echo "No updates needed"
	exit 0
fi

# Query existing user accounts
readonly existingUsers=($(dscl . -list /Users | grep -Ev "^_|com.*|root|nobody|daemon|\/" | cut -d, -f1 | sed 's|CN=||g'))

# Ensure old user account is correct and account exists on system
if [[ ! " ${existingUsers[@]} " =~ " ${oldUser} " ]]; then
	echo "${oldUser} account not present on system to update"
	exit 1
fi

# Ensure new user account is not already in use
if [[ " ${existingUsers[@]} " =~ " ${newUser} " ]]; then
	echo "${newUser} account already present on system. Cannot add duplicate"
	exit 1
fi

# Query existing home folders
readonly existingHomeFolders=($(ls /Users))

# Ensure existing home folder is not in use
if [[ " ${existingHomeFolders[@]} " =~ " ${newUser} " ]]; then
	echo "${newUser} home folder already in use on system. Cannot add duplicate"
	exit 1
fi

# Checks if user is logged in
loginCheck=$(ps -Ajc | grep ${oldUser} | grep loginwindow | awk '{print $2}')

# Logs out user if they are logged in
timeoutCounter='0'
while [[ "${loginCheck}" ]]; do
	echo "${oldUser} account logged in. Logging user off to complete username update."
	sudo launchctl bootout gui/$(id -u ${oldUser})
	Sleep 5
	loginCheck=$(ps -Ajc | grep ${oldUser} | grep loginwindow | awk '{print $2}')
	timeoutCounter=$((${timeoutCounter} + 1))
	if [[ ${timeoutCounter} -eq 4 ]]; then
		echo "Timeout unable to log out ${oldUser} account."
		exit 1
	fi
done

# Captures current "RealName" this is the displayName
fullRealName=$(dscl . -read /Users/${oldUser} RealName)

# Formats "RealName"
readonly origRealName=$(echo ${fullRealName} | cut -d' ' -f2-)

# Updates "RealName" to new username (Yes JCAgent will overwrite this after user/system association)
sudo dscl . -change "/Users/${oldUser}" RealName "${origRealName}" "${newUser}"

if [[ $? -ne 0 ]]; then
	echo "Could not rename the user's RealName in dscl. - err=$?"
	echo "Reverting RealName changes"
	sudo dscl . -change "/Users/${oldUser}" RealName "${origRealName}" "${origRealName}"
	exit 1
fi

# Captures current NFS home directory
readonly origHomeDir=$(dscl . -read "/Users/${oldUser}" NFSHomeDirectory | awk '{print $2}' -)

if [[ -z "${origHomeDir}" ]]; then
	echo "Cannot obtain the original home directory name, is the oldUserName correct?"
	echo "Reverting RealName changes"
	sudo dscl . -change "/Users/${oldUser}" RealName "${newUser}" "${origRealName}"
	exit 1
fi

# Updates NFS home directory
sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "${origHomeDir}" "/Users/${newUser}"

if [[ $? -ne 0 ]]; then
	echo "Could not rename the user's home directory pointer, aborting further changes! - err=$?"
	echo "Reverting Home Directory changes"
	sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${origHomeDir}"
	echo "Reverting RealName changes"
	sudo dscl . -change "/Users/${oldUser}" RealName "${newUser}" "${origRealName}"
	exit 1
fi

# Updates name of home directory to new username
mv "${origHomeDir}" "/Users/${newUser}"

if [[ $? -ne 0 ]]; then
	echo "Could not rename the user's home directory in /Users"
	echo "Reverting Home Directory changes"
	mv "/Users/${newUser}" "${origHomeDir}"
	sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${origHomeDir}"
	echo "Reverting RealName changes"
	sudo dscl . -change "/Users/${oldUser}" RealName "${newUser}" "${origRealName}"
	exit 1
fi

# Actual username change
sudo dscl . -change "/Users/${oldUser}" RecordName "${oldUser}" "${newUser}"

if [[ $? -ne 0 ]]; then
	echo "Could not rename the user's RecordName in dscl - the user should still be able to login, but with user name ${oldUser}"
	echo "Reverting username change"
	sudo dscl . -change "/Users/${oldUser}" RecordName "${newUser}" "${oldUser}"
	echo "Reverting Home Directory changes"
	mv "/Users/${newUser}" "${origHomeDir}"
	sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${origHomeDir}"
	echo "Reverting RealName changes"
	sudo dscl . -change "/Users/${oldUser}" RealName "${newUser}" "${origRealName}"
	exit 1
fi

# Links old home directory to new. Fixes dock mapping issue
ln -s "/Users/${newUser}" "${origHomeDir}"

# Success message
read -r -d '' successOutput <<EOM
Success ${oldUser} username has been updated to ${newUser}
Folder "${origHomeDir}" has been renamed to "/Users/${newUser}"
RecordName: ${newUser}
RealName: ${newUser}
NFSHomeDirectory: "/Users/${newUser}"

SYSTEM RESTARTING in 5 seconds to complete username update.
EOM

echo "${successOutput}"

# System restart
Sleep 5
osascript -e 'tell application "System Events" to restart'
exit 0