Preserving user's home folder and settings after Centrify to Casper Migration

Sachin_Parmar
Contributor

Hi All,

We're currently in the phase of moving away from Centrify to Casper and use a script that basically, removes the AD object from the machine, with a service account. Then utilises the Centrify Uninstall script and force uninstalls centrify with no interaction, after the uninstallation is finished we install Casper via the QuickAdd.pkg created in recon and a couple of custom written prompts to re-name the machine to a new naming convention then update the Inventory database. The Mac is rebound to the domain via an enrollment policy based on the naming convention smart group. So the machine side for us is fine.

My question comes now when migrating the users profile what is the best way to migrate the users profile and keep the data and preferences in tact, what i've been doing is playing with the following command:

sudo chown -R firstname.lastname:'DomainDomain Users' /Users/firstname.lastname

The user then logs into the Mac for the first time after being bound with Casper, on some instances i'm seeing OS X would like to repair library prompt and other times this works first time when the user logs in and data is there, so are there any other methods.

Any ideas on a full proof solution?

Regards,

Sachin

1 ACCEPTED SOLUTION

stevewood
Honored Contributor II
Honored Contributor II

Yes, step 4 is the correct next step to get the permissions reset on the user's home folder.

View solution in original post

10 REPLIES 10

matt_hankerson
New Contributor

Test

stevewood
Honored Contributor II
Honored Contributor II

@Sachin_Parmar that's basically the method I used when changing domains. I took a further step and removed the user from the local database on the machine so that I made sure the proper UID was assigned to the account:

dscl . delete /Users/$loggedInUser

And I would use the UID of the account and the PrimaryGroupID when setting the permissions (I think I stole this from @bentoms. Thanks Ben!):

###
# Get the Active Directory Node Name
###
adNodeName=`dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

###
# Get the Domain Users groups Numeric ID
###

domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain Users | grep PrimaryGroupID | awk '{ print $2}'`

accountUniqueID=`dscl "$adNodeName" -read /Users/$loggedInUser 2>/dev/null | grep UniqueID | awk '{ print $2}'`


chown -R $loggedInUser:$domainUsersPrimaryGroupID /Users/$loggedInUser

And if that doesn't work, you may need to create the mobile account before they login:

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n $loggedInUser

Sachin_Parmar
Contributor

Thanks @stevewood I'll give this a try.

The mobile account i'm creating ovbiously as the configuration i've set via the Casper Directory Binding's where it creates the mobile account at login, but I don't want to log the user in for it to create a new home folder. So to put your info into a script it would look a little something like:

#!/bin/sh

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

dscl . delete /Users/$loggedInUser

###
# Get the Active Directory Node Name
###
adNodeName=`dscl /Search read /Groups/Domain Users | awk '/^AppleMetaNodeLocation:/,/^AppleMetaRecordName:/' | head -2 | tail -1 | cut -c 2-`

###
# Get the Domain Users groups Numeric ID
###

domainUsersPrimaryGroupID=`dscl /Search read /Groups/Domain Users | grep PrimaryGroupID | awk '{ print $2}'`

accountUniqueID=`dscl "$adNodeName" -read /Users/$loggedInUser 2>/dev/null | grep UniqueID | awk '{ print $2}'`

chown -R $loggedInUser:$domainUsersPrimaryGroupID /Users/$loggedInUser

stevewood
Honored Contributor II
Honored Contributor II

Well @Sachin_Parmar, if you're not logging the user in, the loggedInUser bit will not work for you since there is no user logged in. You will need another way to read the user that owns the machine. You could use dscl to grab the user names of anyone that has logged in on that machine and then reset the permissions on them.

Sachin_Parmar
Contributor

Well the user already has a home folder that would be the called the same if they were to log in via AD bound after casper policies.

For example,

AD Username - sachin.parmar
Users homefolder created when bound via Centrify - /Users/sachin.parmar

  1. Mac is on Centrify and the current user is sachin.parmar and has home folder called /Users/sachin.parmar
  2. Admin currently runs automation script to remove AD Bind, Centrify and join Casper, which then Binds back to AD natively at enrollment complete.
  3. At this point the current owner of the /Users/sachin.parmar folder is sachin.parmar:wheel
  4. Before sachin.parmar logs into the machine, I need to change the ownership to sachin.parmar:'DomainDomain Users' by running:
sudo chown -R sachin.parmar:'DomainDomain Users' /Users/sachin.parmar

After step 4, in theory all the data in /Users/sachin.parmar should be preserved and I should now be able to log in as sachin.parmar, is my understanding correct?. Step 4 is basically where it's a bit of a grey area at the moment.

I'm happy for our admins to run this step manually rather than having it automated.

stevewood
Honored Contributor II
Honored Contributor II

Yes, step 4 is the correct next step to get the permissions reset on the user's home folder.

ITOpsJAMF
New Contributor

New to these forums as well as Casper.

Im running into some issues with this topic. We too are migrating from Centrify to Casper. I have a similar script running outlining the steps above (unbind, uninstall Centrify, and join Casper. Rebind happens at enrollment)

When I run step 4 above, terminal accepts the chown group 'insertmydomainhereDomain Users', however that user account is renamed to a number string (screenshot, see buddha account. Top is permissions prior to Centrify unbind/uninstall, bottom is after removed and Casper installed/bound).
088bdda1991b40a0aeae987d246eedd1

After I login to the buddha account, no permissions were changed, therefor they cant access their files (I assume the number string indicated it can no longer find the buddha user). I have log in & run the command again to actually get the user account (in this case, buddha) associated with the home dir, then sign out.

This method is not ideal, as that would mean we will need interaction with all users to have the added step of having them sign in, then back out vs just running the script in the background and just forcing a restart.

Any insight on this issue or am I just missing something?

Sachin_Parmar
Contributor

@apowell Let me try giving this a shot in our test environment and I'll let you know what I come back with as far as i can tell the -R in the command should provision the ownership correctly to all files and folders. I've not had a problem with user profile. What is the exact command you're running?

Sachin_Parmar
Contributor

@apowell Can you try the following, (based on your scenario) see if it works:

sudo chown -R buddha:'YOURDOMAINDomain Users' /Users/buddha

then try

sudo chown -R buddha /Users/buddha

This article is an intresting read in your scenario article

ronhunter212
New Contributor III

So Im wondering is there a script out there that actually works