Converting local accounts to mobile accounts
29 Nov 2022
When working with an Xsan volume with Access Control Lists (ACLs) enabled, it is critical that users log into their Macs with the accounts that are in the relevant groups. We recently helped a customer migrate several computers from local accounts to mobile accounts while retaining the user’s home folder.
We are starting with a Mac with a local administrator account and another local account for the user. We also need to be on a network with access to our directory server. If there is only one account (for the user), create a new local administrator to perform the migration and log in as the local administrator account.
We should now have a local admin account (ladmin), a local user account (eric), and we want to have a mobile account from our directory service (eric_hemmeter)
Next the Mac needs to be connected to the same directory service that the Xsan permissions are coming from. Check System Preferences -> Users & Groups -> Login Options -> Network account server. If you don’t see the directory server listed, click the lock in the lower left, authenticate as the local admin account, and Add.. the appropriate directory server.
Now still in System Preferences -> Users & Groups, authenticate if you didn’t previously, select the local user account (eric). This next step is critical. Don’t click through until you are sure you have the right option selected. Click the minus sign at the bottom of the left column. You will be asked what to do with the home folder. Make sure to select “Don’t change the home folder”. Then click Delete User.
Navigate to /Users in the Finder. Select the user’s folder, now called “eric (Deleted)”, and change the name to the user’s directory service account name (eric_hemmeter). You will be prompted for an administrator’s name and password to make this change. Authenticate as ladmin.
Now we need to do one terminal command. Open /Applications/Utilities/Terminal.app. Enter this command converting usernames as needed. sudo chown -R <mobile account name> /Users/<mobile account name>
. Using our example names it will be sudo chown -r eric_hemmeter /Users/eric_hemmeter
. This is the part that changes the ownership (chown
) of the existing home folder to the new mobile account. When you hit enter, you will be prompted for the local admin password. Nothing will display as you type it, but hit enter again at the end.
Now we can log out of the local admin account and have the user log in as their directory service account. If the Mac doesn’t show the Other… option at the login window, press Option-Enter to switch to the username/password fields.
The user will be asked if they want to update their keychain password. Select update password and when prompted, enter the old local user’s password. This will change their keychain to use the new mobile password.
Now return to System Preferences -> Users & Groups. In the user’s account area, you could choose to make the mobile user an administrator by checking “Allow user to administer this computer”. It will ask to restart, select Not Yet. We recommend not allowing users to be administrators on fiber connected systems. The user could gain full access to the data on volumes and/or disrupt the LUNs ruining the volume for all users. If the connection to the Xsan will be over SMB only, then making the user an administrator is much safer.
To finish this process, click Create… next to Mobile account:. Confirm that the home folder should be on the startup disk by clicking Create. Then click Create one more time to log the user out and cache the mobile account. Enter the user’s mobile account password and click OK. Now be patient, this part can take some time depending on the connection to the directory service. You may be prompted to grant the user a secure token for FileVault. If in doubt, allow it by authenticating as the local administrator account.
The user should now be able to log in with their mobile account on and off the network and have the correct permissions on the Xsan volume locally or over SMB.