Setting up Open Directory for already existing user accounts
I work for a small business, for the few years we've been running we've had individual MacBooks with local user accounts. We need to formalise this a bit in order to get an industry security accreditation, we need to prove password rotation and things like that.
I've set up Apple Server on a spare Mac Mini and created the network, I'm able to set up new users and login via the connected macbooks. The issue I have is we've all got long established profiles, apps, settings and so on, so I need a way to get these existing profiles tied to the users, there doesn't seem to be a standard way to do this and any guides/videos I find are very outdated.
I created a open directory user matching my local user, renamed my user (home) directory, deleted my local account using the root user and signed in to my network user on my macbook, then logged back into the root got rid of the network users user (home) directory and renamed my old one back, I tried to set the ownership of the directory to the network user account but when I logged in it was a world of pain, I couldn't even open apps due to the permissions.
I ended up losing my old local account, luckily I was able to get all of my files back and set the user and group permissions to my new user, although I've lost my settings and configs. There was obviously a whole load of other files I wasn't aware of in the Library that just didn't like the change.
Is there a way I can link Open Directory users to already existing local mac users, or somehow switch over?
Thanks!
This is my old note, that I did. I am writing here as this might help you. All instructions may not be accurate for the path as macOS has changed a lot. But I would suggest you give a try on one machine first. Please make a backup of everything or try on one idle machine.
Step 1: Steps 1 – 24 (Basic setup)
- First, ensure that the local mac user account password matches the password for the AD account that you want to migrate to.
- Log into the computer under any Admin account (or create a new admin account) other than the account that needs to be migrated.
- Enable Root user from Open Directory Utility.
- Add the computer in the domain and choose create mobile account.
- Select the local user account that you want to migrate to an AD account and choose Delete (-).
- At the Delete prompt, select option to 'Don't change the home folder (the home folder remains in the user folder). This will rename the user folder by adding '(Deleted)' at the end of the folder. Click 'Delete User'.
- Log out of the computer.
- At login screen, select Other and log into computer with AD account and if prompted, select the option for 'Create Mobile Account'. Skip any configuration prompts upon login.
- Log Out of AD account and log back in as root.
- Navigate to Users folder/new AD user folder and delete new AD user folder. Restart computer, log back in as root, and empty trash.
- Rename the old user folder. Go to the user folder and delete the '(Deleted)' and any spaces from the folder name. The name of the user folder needs to match the AD username.
- Select the User folder and choose Get info.
- Unlock Permissions
- Click + and add Network User and type in and select the correct AD user and click ok.
- Set the user with Read, Write permissions. Select user, click gear and choose 'Make user owner'
- Click + and add Network Groups and add 'Domain Users'
- Set 'Domain Users' group permissions to be Read Only.
- Delete 'Staff' group
- Under the 'Name' column in the 'Sharing Permissions:' section, you will see an owner account listed and under the 'Name' column, it may read 'Fetching'. Select it and delete this entry. Go to gear and select 'Apply to Enclosed Items'
Step 2: Steps 25-27 - Reset User folder Permissions and ACLs
- Download Batchmod.
- Open Batchmod and browse to the user's user folder.
- Apply permissions EXACTLY as follows and make sure ALL options are checked (above image):
Now, in Batchmod, browse to the user's Public folder and select the Drop Box folder and apply the following permissions:
After all steps are complete and the user can log into their domain account successfully and see all their data, then log back into the local admin account you have been using and do the following:
- Disable root (within directory utility)
- Remove the user profile you used to test and confirm you could log into a domain account.
- Open a terminal window and run dsconfigad -passinterval 0 (this supposedly helps the Mac to pick up password changes more accurately when mandatory password intervals hit.)
- Make the newly migrated user a local admin if appropriate. (Hint: usually not appropriate.)
I recommend leaving the local admin account in place so you can get into the machine in the future if anything ever goes awry with the connection to the domain. It can happen.
Go through this also: http://www.walcott.com/blog/converting-a-local-mac-user-account-to-and-open-directory-server-mobile-account