Centrify DirectControl on Mac OS X 10.6 and higherProblem:
Converting local users to Active Directory users simplifies account management, but requires you to take some steps manually.
On Mac OS X computers, the local account database is always checked for authentication before Active Directory. If a local user has the same username as an Active Directory user, the local user account is used for authentication. If the local user’s password is different from the Active Directory user’s password whether logging on using the Mac login window, or remotely (for example, using telnet or ssh), the local user password is required for authentication to succeed. Although authentication succeeds, Access Manager will generate a username conflict warning.
In most cases, you should remove or convert local user accounts to avoid conflicts between Active Directory and local user accounts and to ensure Active Directory password and configuration policies are enforced. If you need to keep local user accounts, you should ensure the logins are distinguishable from Active Directory accounts.
How can I convert a local account to an Active Directory user account?Answer:
- Log into the Mac as a Local Admin.
- Open a Terminal window and run the following Directory Service command to delete the user’s record (with username replaced by the local name of the user on the Mac):
- sudo dscl . -delete /Users/username
- View the contents of the /Users directory:
- If the home directory is not /Users/ad_username, then rename the home directory so that it matches the username of the target account. Open the Terminal and enter the following commands (where username replaced by the name of the local user on the Mac and ad_username is the username of the AD user):
- sudo mv /Users/username /Users/ad_username
- Change the ownership of the user's home directory.
- sudo chown -R ad_username /Users/ad_username
- Use adquery to view the UID for ad_username.
- adquery user -u ad_username
- List the contents of /Users and make sure that the change of ownership actually took.
- ls -ln /Users
- Log in as the AD user.
- If needed, choose to Update Keychain Password.
- Test if the account can access the home folder and open files.