In most environments, you can map local user accounts to Active Directory accounts to manage the passwords for local users using your Active Directory password policies. Although you can map local Mac OS user accounts to Active Directory accounts with the User Map group policy, Mac OS users can still log on (through the Mac login window, or remotely by using
ssh) by using their local account password, so you cannot effectively use Active Directory to enforce your password policies for local Mac OS user accounts.
To enforce Active Directory password policies for Mac users, you need to delete the local user accounts to prevent those local account names and passwords from being used to log on.
There are different ways to delete local accounts that will impact how those users’ home directories are handled. To delete local user accounts on Mac computers, do one of the following:
- Click Systems Preferences > Accounts, select the account and click the minus (-) sign, then click OK. Deleting the user account in this way moves local user’s home directory to
/Users/Deleted Users/localuser.dmgand the user account and home directory are made inactive. If you click Delete Immediately instead of OK, the home directory will not be saved in the
- Open a Terminal window and run the following Directory Service command to delete the user’s record:
dscl /Local/Default -delete /Users/userName
userNameis a local user; for example, to delete the record for
dscl /Local/Default -delete /Users/cain
Deleting the user account in this way leaves the user’s home directory in place. If the Active Directory user you enable for UNIX is configured with the same UID and GID as the deleted local user, the Active Directory user will assume ownership of the home directory.