Migrating Macs in a Domain Migration

Your Active Directory migration is going great.  You've got 1,000 workstations that you've been churning through smoothly using ADMT.  Every night you knock down another set, and you're on target to finish by the end of the month.  Except for one thing, the marketing department doesn't use Windows.  They've got Macs because, well, Marketing right? Now you've got to migrate those Macs from the source domain to the target domain and you have no idea how to do it.  Does OSX even do Active Directory?  Well fear not friend, because I have a process below the break to get you out of the valley of the shadow of OSX and into the light.

To answer my own question, yes OSX does understand Active Directory.  Well sort of.  It understands OpenLDAP, and Active Directory is OpenLDAP compliant.  So you can join your Mac to a domain and log in using Active Directory accounts and all that jazz.  But it's not Windows and the tools you would use to migrate a Windows workstation do not apply here.

What you need to know is that when an Active Directory user logs onto a Mac, a local profile is created and associated with the network user via a UID.  The local profile and settings are stored in the /Users/sourceUsername directory.  Remember that OSX is based on Open BSD and the file system and commands are very much like Linux.  In order to move the Mac to a new domain and maintain all the user settings, you'll need to copy the content out of the /Users/sourceUsername directory to the /Users/targetUsername directory and then take ownership.  If the source and target usernames are the same, then you will need to copy that /Users/sourceUsername directory to a temporary location and delete the directory so it can be recreated after the migration.

Here is a general outline of the steps required:

  1. Use ADMT or other tool to migrate the user account
  2. Log all users out of the Mac
  3. Login as a local administrator
  4. Open a terminal window
  5. Elevate to root using: sudo su -
  6. Enter local admin password
  7. Create a temporary directory: mkdir /tempProfiles
  8. Copy user home directories to temporary directory
    cp -Rv /Users/sourceUsername /tempProfiles/sourceUsername
  9. Remove the user from the Mac and delete their home directory in System Preferences->Users & Groups
  10. Remove the domain membership from the source domain in System Preferences->Users & Groups -> Login Options
  11. Add domain membership to target domain
  12. Add mobile account creation
    In Directory Utility under Active Directory Advanced Options, Create Mobile Account
  13. Have each user log in with their target username and then log out
  14. Log back in with local admin
  15. Open a terminal window
  16. Elevate to root using: sudo su -
  17. Copy temp files to user directories
    /bin/cp -Rvf /tempProfiles/sourceUsername /Users/targetUsername
  18. Update directory permissions
    chown -Rv targetUsername /Users/targetUsername
  19. Enable File Vault Access (if used)
    System Preferences->Security and Privacy->FileVault->Enable User
  20. Restart Mac
This assumes that the source username and target username are the same.  If they are not, then you can leave the old user profile in place and copy its contents to the new one.  The important bit is the chown command that grants the new account ownership of the contents of the profile.  The process needs to be repeated for each user who logs into that Mac.  I'll be the first to say that this is a manual process, and it could be partly scripted.  But you do need a the target user to log in once to have its account assigned a local UID for security.  Otherwise that chown command won't work.

You didn't expect something on a Mac to be easy did you?

Labels: , , ,