Mapping local user accounts to Active Directory

In most environments, you can map local user accounts to Active Directory accounts to manage the passwords for local users using your Active Directory password policies. Although you can map local Mac OS user accounts to Active Directory accounts with the User Map group policy, Mac OS users can still log on (through the Mac login window, or remotely by using telnet or ssh) by using their local account password, so you cannot effectively use Active Directory to enforce your password policies for local Mac OS user accounts.

To enforce Active Directory password policies for Mac users, you need to delete the local user accounts to prevent those local account names and passwords from being used to log on.

There are different ways to delete local accounts that will impact how those users’ home directories are handled. To delete local user accounts on Mac computers, do one of the following:

  • Click Systems Preferences > Accounts, select the account and click the minus (-) sign, then click OK. Deleting the user account in this way moves local user’s home directory to /Users/Deleted Users/localuser.dmg and the user account and home directory are made inactive. If you click Delete Immediately instead of OK, the home directory will not be saved in the /Users/Deleted Users folder.
  • Open a Terminal window and run the following Directory Service command to delete the user’s record:
    dscl /Local/Default -delete /Users/userName

    where userName is a local user; for example, to delete the record for cain:

    dscl /Local/Default -delete /Users/cain

    Deleting the user account in this way leaves the user’s home directory in place. If the Active Directory user you enable for UNIX is configured with the same UID and GID as the deleted local user, the Active Directory user will assume ownership of the home directory.