Home > Active Directory, Mac administration, macOS, Scripting > Updated MigrateADMobileAccounttoLocalAccount script now available to fix password issue in macOS 10.14.4

Updated MigrateADMobileAccounttoLocalAccount script now available to fix password issue in macOS 10.14.4

A couple of years back, I wrote a script to assist with migrating AD mobile users to local users. I had to update it in 2018 to fix a bug, but once that issue was fixed, the script has chugged along without changes between macOS 10.13.5 and macOS 10.14.3.

However, starting with macOS 10.14.4, I was alerted to an issue with how the script worked in combination with a change on Apple’s end.

As part of the script, the following actions take place:

  1. The password hash value of the account from the AuthenticationAuthority attribute of the relevant account is backed up.
  2. The AuthenticationAuthority attribute is deleted from the relevant account.
  3. The AuthenticationAuthority attribute is re-created and the password hash of the account is restored from the backup.

As of macOS 10.14.4, once the reference to the password hash is removed from the AuthenticationAuthority attribute, the actual password hash is now automatically deleted by the OS. That means that step 2 in the process described above actually causes the password for the account to be removed, so that the account’s password must be re-set.

How to fix this? For more details, please see below the jump.

To address this issue, I’ve removed the parts of the script that do the following:

  1. Back up the password hash value from the account’s AuthenticationAuthority attribute
  2. Delete the account’s AuthenticationAuthority attribute
  3. Re-create the account’s AuthenticationAuthority attribute and restore the password hash value.

Screen Shot 2019 04 05 at 1 54 38 PM

 

In their place, I’ve added the following:

1. A function named PasswordMigration, which selectively edits the account’s AuthenticationAuthority attribute to remove the Kerberos and LocalCachedUser values

Screen Shot 2019 04 05 at 1 49 06 PM

2. A call to the PasswordMigration function after the account attributes specified in the script are removed from the account.

Screen Shot 2019 04 05 at 1 49 40 PM

 

Acknowledgements

My thanks to the folks who reported the issue and also provided the necessary fix. Regrettably, I can’t give them proper credit as they must remain anonymous.

 

Testing

This script has been tested and verified to migrate AD mobile accounts to local accounts on the following versions of macOS:

  • macOS 10.14.4

In that testing, I did the following:

Testing on logged-in AD mobile user account:

  1. I set up an AD-bound VM and created an AD mobile account with admin privileges.
  2. I logged into the AD mobile account and ran the script while logged in as that account.
  3. Once the account had been migrated, I rebooted and verified that I could log in at the OS login window.
  4. I changed the password for the local account to a new one and rebooted.
  5. I verified that I could log in at the OS login window with the new password.

Testing on logged-out AD mobile user account:

  1. I set up an AD-bound VM and created an AD mobile account with admin privileges.
  2. I logged into the VM using a local account which was not the AD mobile account and ran the script while logged in as that account.
  3. Once the account had been migrated, I logged out and verified that I could log in at the OS login window with the just-migrated account.
  4. I changed the password for the newly-migrated local account to a new one and rebooted.
  5. I verified that I could log in at the OS login window with the new password.

Note: I did not test with FileVault-enabled accounts.

Advisory: Older versions of OS X and macOS were not tested and I have no idea if the script will work on those older OS versions.

Warning: I was able to test in my shop’s AD environment and verified that everything worked. That does not guarantee it will work in your environment. Test thoroughly before deploying in your own AD environment.

The updated script is available below, and also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_ad_mobile_account_to_local_account

  1. Sane
    May 2, 2019 at 8:09 pm

    Thank you — This script has helped us in many ways. We are in an exercise to migrate our mobile accounts to local accounts and leverage Enterprise Connect.

    I ran into the 10.14.4 issue today, and working on the update..
    Question — can it be that the issue may only pop up on certain MACs or if not updated will it happen on any MAC with 10.14.4 – I ask because the script worked on one type of HW but failed on another — both were on 10.14.4 — when it did fail, you have to rebuild the MAC or restore from a prior backup, it complexly revamps the security of all the accounts on the mac.

  2. May 15, 2019 at 10:14 am

    Is there a way this script can be automated?
    So it can be run from Self Service on the currently logged in user.

    • Gustavo
      November 7, 2019 at 10:11 pm

      Remus where you able to automate this process? I’m looking to do this silently instead of interactive.

  3. Matt
    May 20, 2019 at 7:55 pm

    Can the password migration function be run by itself to fix machines that have run the old script before they upgrade to 10.14 and are then possible locked out?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: