Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4423: Manually converting a local user to a Centrify Active Directory user on Mac OS X

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:22 AM

Applies to: Centrify DirectControl on Mac OS X 10.6 and higher

Problem:

Converting local users to Active Directory users simplifies account management, but requires you to take some steps manually.

On Mac OS X computers, the local account database is always checked for authentication before Active Directory. If a local user has the same username as an Active Directory user, the local user account is used for authentication. If the local user’s password is different from the Active Directory user’s password whether logging on using the Mac login window, or remotely (for example, using telnet or ssh), the local user password is required for authentication to succeed. Although authentication succeeds, Access Manager will generate a username conflict warning.

In most cases, you should remove or convert local user accounts to avoid conflicts between Active Directory and local user accounts and to ensure Active Directory password and configuration policies are enforced. If you need to keep local user accounts, you should ensure the logins are distinguishable from Active Directory accounts.

How can I convert a local account to an Active Directory user account?


Answer:
  1. Log into the Mac as a Local Admin.
  2. Open a Terminal window and run the following Directory Service command to delete the user’s record (with username replaced by the local name of the user on the Mac):
    • sudo dscl . -delete /Users/username
  3. View the contents of the /Users directory:
    • ls -ln /Users/
  4. If the home directory is not /Users/ad_username, then rename the home directory so that it matches the username of the target account. Open the Terminal and enter the following commands (where username replaced by the name of the local user on the Mac and ad_username is the username of the AD user):
    • sudo mv /Users/username /Users/ad_username
  5. Change the ownership of the user's home directory.
    • sudo chown -R ad_username /Users/ad_username
  6. Use adquery to view the UID for ad_username.
    • adquery user -u ad_username
  7. List the contents of /Users and make sure that the change of ownership actually took.
    • ls -ln /Users
    • User-added image
  8. Log in as the AD user.
  9. If needed, choose to Update Keychain Password.
    • User-added image
  10. Test if the account can access the home folder and open files. 

Related KBs:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.