Home > Active Directory, Mac administration, macOS, Scripting > Updated MigrateADMobileAccounttoLocalAccount script now available to fix password issue in macOS 10.14.4

Updated MigrateADMobileAccounttoLocalAccount script now available to fix password issue in macOS 10.14.4

A couple of years back, I wrote a script to assist with migrating AD mobile users to local users. I had to update it in 2018 to fix a bug, but once that issue was fixed, the script has chugged along without changes between macOS 10.13.5 and macOS 10.14.3.

However, starting with macOS 10.14.4, I was alerted to an issue with how the script worked in combination with a change on Apple’s end.

As part of the script, the following actions take place:

  1. The password hash value of the account from the AuthenticationAuthority attribute of the relevant account is backed up.
  2. The AuthenticationAuthority attribute is deleted from the relevant account.
  3. The AuthenticationAuthority attribute is re-created and the password hash of the account is restored from the backup.

As of macOS 10.14.4, once the reference to the password hash is removed from the AuthenticationAuthority attribute, the actual password hash is now automatically deleted by the OS. That means that step 2 in the process described above actually causes the password for the account to be removed, so that the account’s password must be re-set.

How to fix this? For more details, please see below the jump.

To address this issue, I’ve removed the parts of the script that do the following:

  1. Back up the password hash value from the account’s AuthenticationAuthority attribute
  2. Delete the account’s AuthenticationAuthority attribute
  3. Re-create the account’s AuthenticationAuthority attribute and restore the password hash value.

Screen Shot 2019 04 05 at 1 54 38 PM

 

In their place, I’ve added the following:

1. A function named PasswordMigration, which selectively edits the account’s AuthenticationAuthority attribute to remove the Kerberos and LocalCachedUser values

Screen Shot 2019 04 05 at 1 49 06 PM

2. A call to the PasswordMigration function after the account attributes specified in the script are removed from the account.

Screen Shot 2019 04 05 at 1 49 40 PM

 

Acknowledgements

My thanks to the folks who reported the issue and also provided the necessary fix. Regrettably, I can’t give them proper credit as they must remain anonymous.

 

Testing

This script has been tested and verified to migrate AD mobile accounts to local accounts on the following versions of macOS:

  • macOS 10.14.4

In that testing, I did the following:

Testing on logged-in AD mobile user account:

  1. I set up an AD-bound VM and created an AD mobile account with admin privileges.
  2. I logged into the AD mobile account and ran the script while logged in as that account.
  3. Once the account had been migrated, I rebooted and verified that I could log in at the OS login window.
  4. I changed the password for the local account to a new one and rebooted.
  5. I verified that I could log in at the OS login window with the new password.

Testing on logged-out AD mobile user account:

  1. I set up an AD-bound VM and created an AD mobile account with admin privileges.
  2. I logged into the VM using a local account which was not the AD mobile account and ran the script while logged in as that account.
  3. Once the account had been migrated, I logged out and verified that I could log in at the OS login window with the just-migrated account.
  4. I changed the password for the newly-migrated local account to a new one and rebooted.
  5. I verified that I could log in at the OS login window with the new password.

Note: I did not test with FileVault-enabled accounts.

Advisory: Older versions of OS X and macOS were not tested and I have no idea if the script will work on those older OS versions.

Warning: I was able to test in my shop’s AD environment and verified that everything worked. That does not guarantee it will work in your environment. Test thoroughly before deploying in your own AD environment.

The updated script is available below, and also available on GitHub at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/migrate_ad_mobile_account_to_local_account

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: