Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Preserving user's home folder and settings after Centrify to Casper Migration

Hi All,

We're currently in the phase of moving away from Centrify to Casper and use a script that basically, removes the AD object from the machine, with a service account. Then utilises the Centrify Uninstall script and force uninstalls centrify with no interaction, after the uninstallation is finished we install Casper via the QuickAdd.pkg created in recon and a couple of custom written prompts to re-name the machine to a new naming convention then update the Inventory database. The Mac is rebound to the domain via an enrollment policy based on the naming convention smart group. So the machine side for us is fine.

My question comes now when migrating the users profile what is the best way to migrate the users profile and keep the data and preferences in tact, what i've been doing is playing with the following command:

sudo chown -R firstname.lastname:'Domain\Domain Users' /Users/firstname.lastname

The user then logs into the Mac for the first time after being bound with Casper, on some instances i'm seeing OS X would like to repair library prompt and other times this works first time when the user logs in and data is there, so are there any other methods.

Any ideas on a full proof solution?

Regards,

Sachin

Like Comment
Order by:
JAMFBadge
SOLVED Posted: by matt.hankerson

Test

Like
SOLVED Posted: by stevewood

@Sachin_Parmar that's basically the method I used when changing domains. I took a further step and removed the user from the local database on the machine so that I made sure the proper UID was assigned to the account:

dscl . delete /Users/$loggedInUser

And I would use the UID of the account and the PrimaryGroupID when setting the permissions (I think I stole this from @bentoms. Thanks Ben!):

###
# Get the Active Directory Node Name
###
adNodeName=`dscl /Search read /Groups/Domain\ Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

###
# Get the Domain Users groups Numeric ID
###

domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain\ Users | grep PrimaryGroupID | awk '{ print $2}'`

accountUniqueID=`dscl "$adNodeName" -read /Users/$loggedInUser 2>/dev/null | grep UniqueID | awk '{ print $2}'`


chown -R $loggedInUser:$domainUsersPrimaryGroupID /Users/$loggedInUser

And if that doesn't work, you may need to create the mobile account before they login:

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $loggedInUser
Like
SOLVED Posted: by Sachin_Parmar

Thanks @stevewood I'll give this a try.

The mobile account i'm creating ovbiously as the configuration i've set via the Casper Directory Binding's where it creates the mobile account at login, but I don't want to log the user in for it to create a new home folder. So to put your info into a script it would look a little something like:

#!/bin/sh

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`

dscl . delete /Users/$loggedInUser

###
# Get the Active Directory Node Name
###
adNodeName=`dscl /Search read /Groups/Domain\ Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

###
# Get the Domain Users groups Numeric ID
###

domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain\ Users | grep PrimaryGroupID | awk '{ print $2}'`

accountUniqueID=`dscl "$adNodeName" -read /Users/$loggedInUser 2>/dev/null | grep UniqueID | awk '{ print $2}'`

chown -R $loggedInUser:$domainUsersPrimaryGroupID /Users/$loggedInUser
Like
SOLVED Posted: by stevewood

Well @Sachin_Parmar, if you're not logging the user in, the loggedInUser bit will not work for you since there is no user logged in. You will need another way to read the user that owns the machine. You could use dscl to grab the user names of anyone that has logged in on that machine and then reset the permissions on them.

Like
SOLVED Posted: by Sachin_Parmar

Well the user already has a home folder that would be the called the same if they were to log in via AD bound after casper policies.

For example,

AD Username - sachin.parmar
Users homefolder created when bound via Centrify - /Users/sachin.parmar

  1. Mac is on Centrify and the current user is sachin.parmar and has home folder called /Users/sachin.parmar
  2. Admin currently runs automation script to remove AD Bind, Centrify and join Casper, which then Binds back to AD natively at enrollment complete.
  3. At this point the current owner of the /Users/sachin.parmar folder is sachin.parmar:wheel
  4. Before sachin.parmar logs into the machine, I need to change the ownership to sachin.parmar:'Domain\Domain Users' by running:
sudo chown -R sachin.parmar:'Domain\Domain Users' /Users/sachin.parmar

After step 4, in theory all the data in /Users/sachin.parmar should be preserved and I should now be able to log in as sachin.parmar, is my understanding correct?. Step 4 is basically where it's a bit of a grey area at the moment.

I'm happy for our admins to run this step manually rather than having it automated.

Like
SOLVED Posted: by stevewood

Yes, step 4 is the correct next step to get the permissions reset on the user's home folder.

Like
SOLVED Posted: by apowell

New to these forums as well as Casper.

Im running into some issues with this topic. We too are migrating from Centrify to Casper. I have a similar script running outlining the steps above (unbind, uninstall Centrify, and join Casper. Rebind happens at enrollment)

When I run step 4 above, terminal accepts the chown group 'insertmydomainhere\Domain Users', however that user account is renamed to a number string (screenshot, see buddha account. Top is permissions prior to Centrify unbind/uninstall, bottom is after removed and Casper installed/bound).

After I login to the buddha account, no permissions were changed, therefor they cant access their files (I assume the number string indicated it can no longer find the buddha user). I have log in & run the command again to actually get the user account (in this case, buddha) associated with the home dir, then sign out.

This method is not ideal, as that would mean we will need interaction with all users to have the added step of having them sign in, then back out vs just running the script in the background and just forcing a restart.

Any insight on this issue or am I just missing something?

Like
SOLVED Posted: by Sachin_Parmar

@apowell Let me try giving this a shot in our test environment and I'll let you know what I come back with as far as i can tell the -R in the command should provision the ownership correctly to all files and folders. I've not had a problem with user profile. What is the exact command you're running?

Like
SOLVED Posted: by Sachin_Parmar

@apowell Can you try the following, (based on your scenario) see if it works:

sudo chown -R buddha:'YOURDOMAIN\Domain Users' /Users/buddha

then try

sudo chown -R buddha /Users/buddha

This article is an intresting read in your scenario article

Like