A couple of years back, I wrote a script to assist with migrating AD mobile users to local users. In my testing in 2016, everything seemed to work right and I didn’t see any problems with it on OS X El Capitan.
Fast forward a couple of years and a colleague of mine, Per Oloffson, began running into a weird problem with upgrading Macs from Sierra to High Sierra. When he upgraded Macs from macOS Sierra to macOS High Sierra, he was finding that Macs that had been migrated from AD mobile accounts to local accounts were having those same accounts break.
After a considerable amount of troubleshooting, he was able to narrow it down to the macOS High Sierra installer changing the password hash on those accounts. But why was it changing them?
In short, it was changing them because of a bug in my original MigrateADMobileAccounttoLocalAccount.command interactive migration script. Sorry, Per. For more details, please see below the jump.
The problematic sections are highlighted below. When the script backed up the AD mobile account’s password and then restored it, it was adding single quotes to the beginning and end of the password hash string.
The password hash string should have looked like this:
Instead, it looked like this:
The odd part of the situation is that macOS Sierra was seemingly OK with the extra characters in the password string. It wasn’t until the macOS High Sierra installer re-checked and altered the account plist that the problem occurred.
To fix the migration process, I’ve updated the script to better handle the account password backup and restoration process. The backup process is now querying dscl for the correct XML output and restoring it, which should address the problem with the script.
In my testing, the password hash is now appearing correctly in the account’s plist file.
Testing
This script has been tested and verified to migrate AD mobile accounts to local accounts on the following versions of macOS:
- macOS 10.13.5
In that testing, I did the following:
Testing on logged-in AD mobile user account:
- I set up an AD-bound VM and created an AD mobile account with admin privileges.
- I logged into the AD mobile account and ran the script while logged in as that account.
- Once the account had been migrated, I rebooted and verified that I could log in at the OS login window.
- I changed the password for the local account to a new one and rebooted.
- I verified that I could log in at the OS login window with the new password.
Testing on logged-out AD mobile user account:
- I set up an AD-bound VM and created an AD mobile account with admin privileges.
- I logged into the VM using a local account which was not the AD mobile account and ran the script while logged in as that account.
- Once the account had been migrated, I logged out and verified that I could log in at the OS login window with the just-migrated account.
- I changed the password for the newly-migrated local account to a new one and rebooted.
- I verified that I could log in at the OS login window with the new password.
Note: I did not test with FileVault-enabled accounts.
Advisory: Older versions of OS X and macOS were not tested and I have no idea if the script will work on those older OS versions.
Warning: I was able to test in my shop’s AD environment and verified that everything worked. That does not guarantee it will work in your environment. Test thoroughly before deploying in your own AD environment.
The updated script is available below, and also available on GitHub at the following address: