Home > Mac administration, Mac OS X, Mac OS X Server > Creating AD or OD mobile users from the command line

Creating AD or OD mobile users from the command line

On some occasions, I’ve been asked to create mobile accounts for people on workstations or servers without those people being available to log in at the login window. Here’s a way to create those accounts remotely via SSH. See below the jump for the details.

Note: In this example, I’m creating AD mobile users where the Apple AD plug-in’s Use UNC path from Active Directory to derive network home location setting is unchecked.

1. Use SSH to remotely connect to the Mac in question: ssh localadmin@workstation-name@domain.com

This message may appear if it’s the first time connecting from your workstation to the remote Mac:

The authenticity of host 'workstation-name.domain.com (' can't be established.
RSA key fingerprint is 47:15:1f:e0:b1:f8:05:25:2c:cf:ae:aa:8c:ac:83:c3.
Are you sure you want to continue connecting (yes/no)?

Enter yes when prompted and hit Return.

2. Provide password when prompted and hit Return.

3. Once connected, run the following command to create the account and the account’s home folder in /Users (using the user’s username in place of username):

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

Note: When the account is created, you may see some errors like these:


createmobileaccount built Apr 15 2011 18:07:03
2011-08-12 07:20:09.066 createmobileaccount[98180:1707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=872656421), NULL) == 0x89d6bc99
2011-08-12 07:20:09.960 createmobileaccount[98180:1707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=872656421), NULL) == 0x89d6bc99


or these


createmobileaccount built Jul 7 2009 17:17:01

touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/633a1ba25cb8241bbde44acb603ee1e822cde772/00410042005300530079006e00630043006f0075006e0074: No such file or directory
touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/633a1ba25cb8241bbde44acb603ee1e822cde772/005f004900530079006e00630043006c00690065006e00740041006e00630068006f0072004b00650079: No such file or directory
touch: /Users/username/Library/Application Support/SyncServices/Local/clientdata/7fef3df625cf55044d6bb962d9afcdcb3f182ede/006d006f00640044006100740065004f006e004c00610073007400530079006e0063: No such file or directory
2011-08-12 07:32:20.134 DirectoryTools[93635:10b] find-exec-touch failed with 1


These are generally harmless errors and do not mean that the account was not created.

4. Once the account is created, run the following command to assign the just-created account administrator rights (using the user’s username in place of username):

sudo dscl . -append /Groups/admin GroupMembership username

  1. Patrick Fergus
    August 12, 2011 at 1:11 pm

    Does this write a local password hash for the user?

    • August 12, 2011 at 1:23 pm

      That depends on which OS you’re running the command on. On 10.5, it looks like the password hash is created when the command is run. On 10.6, the hash is not created until the user actually logs in.

  2. February 14, 2012 at 8:46 pm

    Can you give me some sense of what causes the first set of errors?

  3. February 14, 2012 at 9:10 pm


    My AD users don’t have MCX preferences applied, so I’ve assumed that the first error was caused by the MCX cache utility not finding anything to cache. However, I don’t have documented evidence to back that assumption up.

  4. Josh
    April 8, 2013 at 6:49 pm

    Have you found any way to redirect the “error” output into something benign so that Casper doesn’t mark it as failed when used in a policy? I’ve tried to redirect stderr to stdout, or all output to /dev/null, with no luck.

  5. June 18, 2013 at 3:36 pm

    I’m also wondering about the error, because the AD-Account (PBIS) was successfully changed into a Mobile-Account. Any ideas, how to redirect the error, so Casper Suite will mark this policy (logout-script) as “ok, worked fine”?

    Script result: 2013-06-18 17:16:21.013 createmobileaccount[1802:707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=40367), NULL) failed
    2013-06-18 17:16:21.912 createmobileaccount[1802:707] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=40367), NULL) failed
    createmobileaccount built Apr 27 2013 02:50:29

  6. Martin Bluck
    September 11, 2015 at 3:57 pm

    Does doing this create a password? How does the newly created user log in?

  7. Mark Stark
    January 12, 2016 at 10:15 pm

    Creating AD or OD mobile users from the command line
    Nice read, but what if this is a mobile deploy before VPN access is allowed??

  8. April 15, 2016 at 9:03 pm

    Awesome, it works with “Use UNC path from Active Directory to derive network home location” checked, as well.

    I had a weird case where an AD user could not log into a particular domain-bound Mac even after it was rebuilt completely.

    Added the user with this command and it worked like a charm.

  9. April 15, 2016 at 9:05 pm

    I’ll add also that I grant admin rights via AD group membership, and the person’s account showed in Users and Group’s properly as ‘Mobile, Managed, Admin’

  10. darrenmason
    June 8, 2017 at 4:43 pm

    Thank you for sharing this command line tutorial. I have a MacOS Sierra (latest ver) which was joined to AD, but network admin failed to check “create mobile account on login.” Now I’m back home and can’t login because I’m not connected to the domain. Would this tutorial work to “convert” my existing network account to a mobile account? I am able to login to the machine through an admin local account. Thank you!

  11. Amir Av
    January 22, 2018 at 10:57 pm

    thank you

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: