Mobile accounts question

jhuls
Contributor III

We're in the middle of a domain migration and I know there are some systems with accounts that weren't setup as mobile. Is it possible to detect and convert those?

2 REPLIES 2

guidotti
Contributor II

Check out this thread: https://www.jamf.com/jamf-nation/discussions/4502/remove-old-mobile-accounts

Like @cbrewer and @tlarkin say there: "If it is a mobile AD account, it will create a local account and give it a UID of greater than 1,000..."
You should be able to craft an extension attribute to detect the non-mobile accounts that way.

mm2270
Legendary Contributor III

There isn't a way to "convert" local to mobile accounts, but they can be recreated as mobile accounts and the data migrated to the new account or the home dirs swapped. Meaning, the old "local" account home folder can be renamed to something else and the local directory services account deleted. Then the actual domain based mobile account can be created using the createmobileaccount binary in the OS. Next, the new empty home directory can be removed and the original home directory renamed back to match up with the AD cached mobile account, making sure permissions are set correctly on it.

It's a process, and of course it's tricky to do all this if someone is logged into said account. Not a good idea obviously since you are removing/renaming things and such.

I would search around here on JN for other posts on the topic. Some folks have come up with advanced workflows for doing all this. You're not the first person to need to do this.

As for detecting these accounts, I would look at an Extension Attribute maybe to grab the local accounts, excluding any known "IT" admin accounts that might be on them. Local accounts have UIDs below 1000 as well as other distinct differences from cached mobile accounts.