Converting a local user to an Active Directory user

Although local user accounts can co-exist with Active Directory user accounts, in some cases, you may want to convert some or all of your local accounts to Active Directory user accounts. Converting local users to Active Directory users simplifies account management, but requires you to take some steps manually.

On Mac computers, the local account database is always checked for authentication before Active Directory. If a local user has the same username as an Active Directory user, the local user account is used for authentication. If the local user’s password is different from the Active Directory user’s password whether logging on using the Mac login window, or remotely (for example, using telnet or ssh), the local user password is required for authentication to succeed. Although authentication succeeds, Access Manager will generate a username conflict warning.

In most cases, you should remove or convert local user accounts to avoid conflicts between Active Directory and local user accounts and to ensure Active Directory password and configuration policies are enforced. If you need to keep local user accounts, you should ensure the logins are distinguishable from Active Directory accounts. For more information, see Map the UNIX service account to the Active Directory user.

To convert a local Mac user to an Active Directory user:

  1. Open a Terminal window and run the following Directory Service command to delete the user’s record:
    dscl /Local/Default -delete /Users/userName

    where userName is a local user; for example, to delete the record for cain:

    dscl /Local/Default -delete /Users/cain

    Although the user record is deleted, the home directory for the user (/Users/cain), including all sub-directories and files, still exists. When you create an Active Directory user with the same name, this user will have access to everything in the existing local home directory.

  2. On a Windows computer, use Active Directory Users and Computers to create an Active Directory user account for the local user account (for example, cain), if one does not already exist.

  3. In the Access Manager console add the Active Directory user to the appropriate zone and define the Centrify Profile for the user. Set the home directory for the user:

    Note:   The default home directory for Mac users is the /Users directory, unlike most UNIX systems where /home is the default by convention.

    • To a local home directory: /Users/userName; for example, /Users/cain.

    • To an appropriate network share using the /SMB/share/path or /AFP/share/path syntax. For example, /SMB/cain/server2003.myDomain.com/Users/cain. See Configuring a network home directory.

    • To a network home directory. If you wish to create a mobile account for the user and synchronize the user’s folders the next time the user logs on, see Configuring a portable home directory.

  4. Reboot the Mac computer, then log in as the new Active Directory user.