Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: apple1242b
apple1242b Author
User level: Level 1
8 points

Mac local to AD account conversion

Is there a quick and easy way to convert Mac OS X local user accounts to authenticate from Active Directory instead of the local Mac user account?


I am working a project for a new company where I have discovered that the computers that have been set up so far have been set up with local user accounts that have the exact same name as the user’s Active Directory logon account.


The problem is that whenever users on these Macs logon to their Macs using their Active Directory username and password they are in fact being logged in and authenticated by the Mac OS X operating system instead of being authenticated by the Active Directory domain servers.


This presents obvious security problems as well as creating other problems such as when users change their local Mac user account password s these passwords aren’t updated in Active Directory.


I am hoping that there is a quick and easy way (or a utility or method) that will allow us to change all of these local Mac OS X user accounts so that they have to contact the Active Directory domain controllers to be authenticated.


All of these Macs were added to the Active Directory domain before these local accounts were created.


Is this possible or do all of the existing local user accounts need to be renamed (and the data and settings copied) so that the users will be able to logon using their Active Directory user names and passwords?


Or what other methods, utilties, or apps are available to fix this issue?

iMac, OS X Mavericks (10.9.3), Mac local & AD account logon

Posted on Jun 11, 2014 10:11 AM

Reply
5 replies
User profile for user: apple1242b
apple1242b Author
User level: Level 1
8 points

Jun 11, 2014 2:45 PM in response to Drew Reece

This looks like a good article.


The main question that I have is that the article mentiones adding the Mac computer to the Active Directory domain.


For the Macs I will be performing this repair on each one is already joined to the Active Directory domain.


So I can I follow these steps and just skip the part about adding the Mac to the Active Directory domain or will I need to remove the Mac computer from the domain first just so that I can follow all of these steps?


I would prefer to leave the Mac computers on the domain if possible without having to remove and re add them back to the domain.


Please let me know how this works.

Reply
User profile for user: Drew Reece
Drew Reece
User level: Level 6
10,660 points

Jun 11, 2014 3:35 PM in response to apple1242b

I think this is a job for a shell script.


There are older examples around, but you need to test (a lot)…

http://macadmincorner.com/migrate-local-user-to-domain-account/


I have a feeling that script requires interaction so you may need to do each one in turn (ugh).

There will be many changes since that was written so clone a test machine to practice on.


Do you have a way to run the script on each Mac? Apple Remote Desktop will do it if you setup the clients.

Otherwise a '.command' file is a 'double-clickable' shell script if you can stand a lot of logging in as admin on each Mac.


There must be a more recent script example around (sorry more google needed).


I think the Apple steps will be OK if bound to AD. If you script the process 'dscl' will be deleting from the local directory node (a.k.a. '.') so it shouldn't affect AD.


It looks like line 82 is where the script does that after gathering a lot of data to filter the correct users to delete.


I can try helping if nothing else turns up, but this strikes me as something that has been solved before if we can only find it.

Reply

Mac local to AD account conversion

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up