Convert domain account to local account

user-account

Solution 1:

The instructions below apply in a situation where the user had a "mobile" account that has already been synced to the client machine so that the local home directory contained all the data needed by the user.

  1. Log in the client machine as a local administrator. Make sure the user you are going to change is NOT logged in :-)
  2. Do a backup!!! (e.g. by running TimeMachine)
  3. From the Terminal, execute the id <user> command, where <user> is the name of the mobile user. Make a note of the User ID and primary group ID numbers.
  4. In System Preferences, delete the mobile account by selecting it and then clicking on the '-' button. Select the "Don't change the home folder" option. This will rename the user's home folder on the client to /Users/<user>\ (deleted).
  5. Add a new local account. The user name must be <user>. Specify a local password (i.e. not an iCloud one).
  6. Right-click on the new local account, "Advanced settings" will be shown. Set the user ID to the previous value.

  7. The new local account now has a new /Users/<user> home directory with the default subdirectories in it. From the terminal as administrator remove this new home directory and rename the old "deleted" home directory as follows:

    sudo rm -rf /Users/<user>
sudo mv /Users/<user>\ (deleted) /Users/<user>
  8. (Optional): the default group for new users is Staff, gid=20. You may need to change this if necessary. Use the Directory Utility tool to add/edit local groups.

Solution 2:

Sierra must have changed something because this did not work. The account attempts to log in, then there were a ton of messages asking for the admin password because the Library needed to be repaired. Then there was an error that a valid keychain could not be found (because the account did not have access to any of its own folders.) In the past, an ACL reset would fix that, but that's not possible with Sierra (or at least I haven't found a reliable way to do it.)

What I did instead was:

  1. From an admin account, delete the Mobile User account, but do not delete the home folder.
  2. From Terminal, rename the user's home folder to remove the "(Deleted)" tag. You can also rename it to anything you want at this point, such as "johnspartan" instead of "spartanj117"
  3. Create a new local account, using the same name as the account you just edited. Select "Use Existing Folder." (If you don't see the prompt, you mistyped something. Cancel and double-check the previous step.)
  4. Log out of the admin account, and log into the newly created account. All should be there, minus the Mobile account tag.

Solution 3:

I tried this script on macOS Catalina (10.15.2) and it worked perfectly.

  1. Log into a local admin account other than the account to migrate.
  2. Download and run this script, and follow all of the instructions
  3. Once it is finished, reboot your computer into Recovery Mode (command + R)
  4. Open Disk Utility, mount your primary drive, and run First Aid
  5. Reboot and use as normal

According to the author of the script, it modifies the account itself by removing all of the AD affiliations, instead of deleting the account and migrating the data.

When running the script, you will most likely see a bunch of chown: Permission denied errors. The ownership of the files and folders in your /Users/<username> directory will be changed, but the filesystem permissions need to be flushed. There is a specific command you can run in Terminal if you feel like looking it up, but running First Aid in Recovery Mode is much simpler.

Solution 4:

Be careful! Both answers above have problems because in the end they do the same thing. At this point, the shorter four step procedure is better.

I cannot comment on the changes between Sierra and previous versions, but both suggestions have an issue with the UUID that is assigned accounts.

There are three numbers which identify a user on Macs, the first are the uid and gid mentioned on the longer procedure above, The longer procedure essentially manually recovers the uid/gid to the previous values, the in the second procedure the system will reassign the uid/gid combination on all files in the home directory for you. This is great if the only thing you are worried about on the server is the users files.

The problem is the third user identifier, which is used by most of the Server services to identify the user. Both procedures above assign a new UUID to the account, meaning that all services will need to be reconfigured from scratch. For mail, you need to delete the old network users and add the new local ones, but you will then lose all mail stored on the server for the user. Therefore, before proceeding, you need to move all mail to an on my Mac store or export it somehow, then make the user changes and move the mail back again. The same holds true for all other services provided by that server.

Related

TextEdit app always opens with File Open dialog
What does a hard link do?
How do I regain access to Font Book? It opens, hangs, then requires Force Quit
Angular lazy one-time binding for expressions
How to prevent layout from overlapping with iOS status bar
React Native FlatList with columns, Last item width
How to pass a type as a method parameter in Java
Ruby on Rails - How do I render an action without the application layout?
ERROR: permission denied for relation tablename on Postgres while trying a SELECT as a readonly user
Pie chart with jQuery
Android - how to get android.R.anim.slide_in_right
How do I Unignore a file in TortoiseSVN?