change user folder to new domain user

You really just need to chown on the user's folder. Here is your issue based on what I understand from your post.

You had a domain server and it contained users. These users had GUIDs associated with their accounts and this GUID was set on all user data. Let's say there was john and mary with GUIDs of 1234 and 5678 respectively. The old server was decommissioned and the users were recreated on a new server. While the names are the same, the accounts got new GUIDs. So john is now 1a3b and mary is 5c7d. You unbound the workstation and bound it to the new server. Ah, your user data is still linked to the old domain account and guid. Plus, you may be having some issues with the cached credentials.

Try this. Should take no more than a few minutes per machine.

1: Unbind from old domain.

2: Delete the user's cached account NOT THEIR DATA by logging in as the local admin, going to System Preferences > Users & Groups. Select the users cached account and press the – button. BE VERY CAREFUL with your selection. Choose Don't Change Home Folder. It does change it, but just in the name,

3: Ok, now the user's attributes that were linked to the old server are gone and the user's data is now orphaned in the /Users folder with no owner.

4: Bind to the new domain server

5: You now can "see" the new users through the domain bind. So set ownership of the home folder (oh, and rename it) to the user's new GUID. Use these commands. Let's assume we are on mary's machine and her old and new short name is mary.

sudo mv /Users/mary\ \(Deleted\) /Users/mary

sudo chown -R mary /Users/mary

When you choose Don't Change Home Folder, Apple renamed the home folder but removed the user account attributes. The first command above simply renames the folder from mary (Deleted) back to mary. The second resets ownership to the folder and all contents to mary from the new domain server.

Log out of the admin and log in as mary. Everything should be exactly as you left it.

Ah, Keychain... If the user's password is the same, you should be fine. If the user's password was change at the same time the domain servers were migrated, then the user will need to recall her past password to unlock and update the keychain.

Simple and easy. 2 minutes per machine with no data migration.

Reid

Apple Consultants Network

"El Capitan Server – Foundation Services"

"El Capitan Server – Control & Collaboration"

"El Capitan Server – Advanced Services"

With apologies to Reid, but this might save you time.

Log in with the Directory Admin Account where you can effect the changes for the users. At least that is what I do, as I had a similar problem before.

Leo

I take all the help I can get 🙂 Leo, always contribute.

However, I think the issue Nemram is having is a missing or incorrect attribute on the user's domain account. (This assumes the permissions were addressed)

The one item I don't know is if you are using AD or OD as your domain. I have two suggestions depending on the directory server.

If you are using AD and the machine is AD bound, try unchecking "Use UNC path to derive network home folder" (or sudo dsconfigad -useuncpath disable) in Directory Utility. Then try logging in as the user. Many AD templates will build network home paths for users that contain incomplete network paths. The Mac will attempt to login to that location but can not mount it.

If you are using OD, the problem is likely a missing NFSHomeFolder attribute on the users account. Go into Server.app, right-click on the user and choose Advanced Options... from the contextual menu. What is the value of the Home Folder key? It should be something like /Users/username. If you accounts were created as None - Services only (I still prefer this setup even with the extra work), then the Home Folder value is /dev/null which is an invalid path.

Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

Hi, I am also experiencing the same problem, The post from Strontium90 is what I am looking for but is there any reason why I cannot see the list of network users that have logged into the mac from the system preferences>Users and Groups screen? Thanks

I just happened to see this so I will pile on.

If your network users are not showing up in System Preferences, you are not using the Mobility payload to create a "mobile home folder," this is the equivalent of a cached account. You workstations are bound and your accounts are permitted to login, but you are not caching the account information. Are you using profile manager or some other MDM to define Mobility?

Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

Thanks for the speedy reply Reid. We do not use any MDM on our Mac devices so I can only assume we are using profile manager. Does this mean we would no longer have to delete the users cached account to perform the migration?

Sorry for the slow response. When a user logs in to a machine she generates two independent elements (this is assuming cached accounts is enabled using AD bind or OD bind with mobility); user record and user data.

The first piece is the cached user credential stored in /var/db/dslocal/nodes/Default/users/. This file will not exist unless the device is configured to cache the user identity. In an AD bind, this caching is automatically enabled. With OD, you must use the Mobility payload, which was also available in MCX. If the mobility payload is not delivered to the machine but the machine is bound to an OD server, and the user has a valid NFSHomeDirectory value, then the user will be granted access to the machine. On login, the second item is created.

The second item is the user's home folder. The data is set to the user's GUID from the domain. This occurs if you are using cached credentials or not.

If you are migrating and don't see user accounts after logging in, then mobility is not enabled. The benefit of using cached accounts means that the machines can be used without access to the directory domain. If you are deploying laptops, but not mobility, then users will not be able to access the machine unless it is connected to your network. This means the devices can never leave the LAN. User home folder will still be created.