Creating AD or OD mobile users from the command line
On some occasions, I’ve been asked to create mobile accounts for people on workstations or servers without those people being available to log in at the login window. Here’s a way to create those accounts remotely via SSH. See below the jump for the details.
Note: In this example, I’m creating AD mobile users where the Apple AD plug-in’s Use UNC path from Active Directory to derive network home location setting is unchecked.
1. Use SSH to remotely connect to the Mac in question: ssh localadmin@firstname.lastname@example.org
This message may appear if it’s the first time connecting from your workstation to the remote Mac:
The authenticity of host 'workstation-name.domain.com (192.168.12.17)' can't be established.
RSA key fingerprint is 47:15:1f:e0:b1:f8:05:25:2c:cf:ae:aa:8c:ac:83:c3.
Are you sure you want to continue connecting (yes/no)?
Enter yes when prompted and hit Return.
2. Provide password when prompted and hit Return.
3. Once connected, run the following command to create the account and the account’s home folder in /Users (using the user’s username in place of username):
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
Note: When the account is created, you may see some errors like these:
createmobileaccount built Apr 15 2011 18:07:03
2011-08-12 07:20:09.066 createmobileaccount[98180:1707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=872656421), NULL) == 0x89d6bc99
2011-08-12 07:20:09.960 createmobileaccount[98180:1707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=872656421), NULL) == 0x89d6bc99
createmobileaccount built Jul 7 2009 17:17:01
touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/633a1ba25cb8241bbde44acb603ee1e822cde772/00410042005300530079006e00630043006f0075006e0074: No such file or directory
touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/633a1ba25cb8241bbde44acb603ee1e822cde772/005f004900530079006e00630043006c00690065006e00740041006e00630068006f0072004b00650079: No such file or directory
touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/7fef3df625cf55044d6bb962d9afcdcb3f182ede/006d006f00640044006100740065004f006e004c00610073007400530079006e0063: No such file or directory
2011-08-12 07:32:20.134 DirectoryTools[93635:10b] find-exec-touch failed with 1
These are generally harmless errors and do not mean that the account was not created.
4. Once the account is created, run the following command to assign the just-created account administrator rights (using the user’s username in place of username):
sudo dscl . -append /Groups/admin GroupMembership username