Home > Mac administration, Mac OS X, Mac OS X Server > Creating AD or OD mobile users from the command line

Creating AD or OD mobile users from the command line

On some occasions, I’ve been asked to create mobile accounts for people on workstations or servers without those people being available to log in at the login window. Here’s a way to create those accounts remotely via SSH. See below the jump for the details.

Note: In this example, I’m creating AD mobile users where the Apple AD plug-in’s Use UNC path from Active Directory to derive network home location setting is unchecked.

1. Use SSH to remotely connect to the Mac in question: ssh localadmin@workstation-name@domain.com

This message may appear if it’s the first time connecting from your workstation to the remote Mac:


The authenticity of host 'workstation-name.domain.com (192.168.12.17)' can't be established.
RSA key fingerprint is 47:15:1f:e0:b1:f8:05:25:2c:cf:ae:aa:8c:ac:83:c3.
Are you sure you want to continue connecting (yes/no)?

Enter yes when prompted and hit Return.

2. Provide password when prompted and hit Return.

3. Once connected, run the following command to create the account and the account’s home folder in /Users (using the user’s username in place of username):


sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

Note: When the account is created, you may see some errors like these:

——–


createmobileaccount built Apr 15 2011 18:07:03
2011-08-12 07:20:09.066 createmobileaccount[98180:1707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=872656421), NULL) == 0x89d6bc99
2011-08-12 07:20:09.960 createmobileaccount[98180:1707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=872656421), NULL) == 0x89d6bc99

——–

or these

——–


createmobileaccount built Jul 7 2009 17:17:01

touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/633a1ba25cb8241bbde44acb603ee1e822cde772/00410042005300530079006e00630043006f0075006e0074: No such file or directory
touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/633a1ba25cb8241bbde44acb603ee1e822cde772/005f004900530079006e00630043006c00690065006e00740041006e00630068006f0072004b00650079: No such file or directory
touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/7fef3df625cf55044d6bb962d9afcdcb3f182ede/006d006f00640044006100740065004f006e004c00610073007400530079006e0063: No such file or directory
2011-08-12 07:32:20.134 DirectoryTools[93635:10b] find-exec-touch failed with 1

——–

These are generally harmless errors and do not mean that the account was not created.

4. Once the account is created, run the following command to assign the just-created account administrator rights (using the user’s username in place of username):


sudo dscl . -append /Groups/admin GroupMembership username

  1. Patrick Fergus
    August 12, 2011 at 1:11 pm

    Does this write a local password hash for the user?

    • August 12, 2011 at 1:23 pm

      That depends on which OS you’re running the command on. On 10.5, it looks like the password hash is created when the command is run. On 10.6, the hash is not created until the user actually logs in.

  2. February 14, 2012 at 8:46 pm

    Can you give me some sense of what causes the first set of errors?

  3. February 14, 2012 at 9:10 pm

    Jay,

    My AD users don’t have MCX preferences applied, so I’ve assumed that the first error was caused by the MCX cache utility not finding anything to cache. However, I don’t have documented evidence to back that assumption up.

  4. Josh
    April 8, 2013 at 6:49 pm

    Have you found any way to redirect the “error” output into something benign so that Casper doesn’t mark it as failed when used in a policy? I’ve tried to redirect stderr to stdout, or all output to /dev/null, with no luck.

  5. June 18, 2013 at 3:36 pm

    I’m also wondering about the error, because the AD-Account (PBIS) was successfully changed into a Mobile-Account. Any ideas, how to redirect the error, so Casper Suite will mark this policy (logout-script) as “ok, worked fine”?

    Script result: 2013-06-18 17:16:21.013 createmobileaccount[1802:707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=40367), NULL) failed
    2013-06-18 17:16:21.912 createmobileaccount[1802:707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=40367), NULL) failed
    createmobileaccount built Apr 27 2013 02:50:29

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 151 other followers

%d bloggers like this: