HowTo: Use/Migrate an existing local OS X user profile for use with an ActiveDirectory User

So, we’ve all been there: A user is using his Mac with a local account. At some point IT needs to manage all Computers and Passwords, and thus this Mac together with it’s user needs to be ActiveDirectory managed. But of course: No setting, no file, nothing should change, because the user is king (and maybe the company’s boss that hates being upset, and even a changed background or shortcut-location upsets him….). Here’s how to do it:

  • Create a new local user with admin rights.
  • Logout of existing User and into the new admin user.
  • Delete the user you want to migrate. When the system asks, don’t delete or archive the user folder, just leave it where it is.
  • In a terminal issue the following command “sudo mv /Users/oldusername /Users/newusername” where newusername is the shortname of the AD User. This is critical!
  • If not already happened bind the Mac to the AD.
  • Use “chown” in terminal to change the owner of the users directory to the new domain user. Use the shortname, no need to write the FQDN of the AD.
  • Use “directory utility” to change the settings and check the box to create a “mobile account at login”, and check the second box, too.
  • Now logout, maybe reboot. (Sometimes it is needed, sometimes not, depending on how quickly the Mac gets the new AD binding.
  • Login using the new users shortname. It should ask for a mobile profile, create one!
  • You might need to update the keychain password.

Thats it: Enjoy your migrated user folder and settings. You shouldn’t notice any difference besides a new password 😉

One note: The new user is a standard user without administrative rights. If you need to give him/her or the Administrator-Group admin rights, you can to this in the “Directory Utility” as well. Single users won’t work, use groups like this: DOMAINNAME\groupname .

All the best.

Advertisements