Migrating local user account to Active Directory in the year 2024

Question

Level 1

8 points

Migrating local user account to Active Directory in the year 2024

Hi

I want to migrate my local admin user (with it´s content) in my MBP M2 to my Microsoft Active Directory user account. I'm currently running them both side to side in my MBP M2.

The local user is more and more unuseful since corporate services are tagged to and for AD users only (printing, servers etc.) and they are not available to local (non-AD) users.

However, there are local stuff (docs, keychains, settings etc.) that I want to move to my AD user account.

I the search of Holy Grail of Migration I found this discussion from the year 2008.

Migrating local user account to Active Di… - Apple Community

Does this (excellent and easy) guide still apply today? Is there any changes that I should consider? Or has the process changed completely?

The linked guide has OS X 10.4.11 Tiger (!) and my M2 MBP OS X 14.7 Sonoma so the difference between OS X´s is biggus...

Has anyone done or tried this recently? Any comment and Monty Python reference is much appreciated.

MacBook Pro 14″, macOS 14.7

Posted on Oct 24, 2024 1:50 AM

Reply

Answer 1

Oct 24, 2024 5:43 PM in response to Andy St.Ala

Hey there, that is a blast from the past (original author of post).

Generally, yes. The same process applies today. Home folders remain mostly "portable." However... There are some gotchas that were not present back in the day. For example, if you are logged into any cloud services, like OneDrive/Teams, Dropbox, iCloud Desktop, you likely want to log out BEFORE moving the home folder. The reason for this is many of these tools will define a file system path that includes the user name of the home folder. For example, /User/origuser/... Also, with FileProvider, it likely makes more sense to simply log out and log in to allow the cloud sync to redo itself. Moving within the boot drive is generally fine but if you try to copy to another drive, the space required for evicted files is reserved.

Likewise, Keychain will likely fail to migrate. If you are logged in with an Apple ID and you are syncing Keychain to iCloud, then log out of iCloud before moving the home folder and then log back in once you get into the new home folder. If you are not using an Apple ID, and all keychain items are in local items, then make sure you record your passwords before you migrate the home folder. Also, Teams may get wacky if it can't access the keychain so you may need to reset it anyway.

Also, there are Containers and Group Containers which did not exist back in the day. Generally, they move fine (copy can get wacky). Every so often there are issues with Mail.app's container but if you are in corporate, you are likely using Outlook or a browser.

Now, this is where I have to express caution on the continued use of AD binding and mobile accounts. Apple is clearly moving away from this and there are likely going to be some odd issues that arise. If you are managing your devices, you may want to start looking into Platform SSO and the ability to integrate the Mac into your cloud identity provider. If you have Jamf, then Jamf Connect is a viable solution to allow linking of a local account to the cloud IdP.

Hope this is helpful. Again, the basics is understanding pathing and permissions. If the OS is looking for a folder named "newuser," then make it so. If it expects certain permissions, then set them. Again, best to do this from a temp admin account.

What is your favorite color? Blue... no! yellooo

Reply

Answer 2

Andy St.Ala Author

Level 1

8 points

Oct 24, 2024 10:40 PM in response to Strontium90

Hi Strontium90!

Thanks for the great answer. And the original post. So basically I can do it with careful work but there will be some f***s and couple NOOOO´s with slim change of "that didn´t suppose to happen" and two "haven´t seen that before".

Basically I should log out from "everything" from iCloud to O365. Software license´s are ok except PitStop that I need to manually deactivate before I do the change. I use keychain with iCloud so most of the keychain will be ok; I have to backup it anyway just to be sure.

Good point about the containers, I had forgot that Tiger didn´t have them. I also have to empty OneDrive´s local container that keeps near 300 Gb of those "cloud storage files only" to make transition easier.

Mail is in MS Outlook so no panic there.

So, basically it should be quite straight forward, basic "I will risk everything" type of thing.

About Apple´s plans of AD binding etc.; I think I will tackle that when the issue rises. So far everything seems to work ok. This machine is a leasing one so I will get a new one in the future anyway.

Thanks for the comment, I will try the migration in the next few weeks. I will come back and tell how it went.

I have only one question before I go; are you suggesting coconuts migrate?

Reply

Answer 3

celliott147

Level 6

12,230 points

Oct 28, 2024 7:46 AM in response to Andy St.Ala

I would strongly suggest leveraging something like Xcreds, Jamf Connect, Mosyle Fuse, Kandji Passport, or Jumpcloud rather than kicking the can down the road. If you're just looking for Kerberos tickets to access things like you mentioned, you can also leverage the Kerberos SSO profile. Like strontium90 said, AD binding is a thing of the past. There are lots of quirks with it. I've worked in multiple orgs with printing and servers that were restricted to AD accounts. The Kerberos SSO allows access to these things while keeping the user local.

Reply

Answer 4

Andy St.Ala Author

Level 1

8 points

Oct 28, 2024 8:03 AM in response to celliott147

Thanks, I will check into it!

Reply