#!/bin/bash# Modified 4/5/2019Version=1.4# Original source is from Migrate

1. #!/bin/bash
2. # Modified 4/5/2019
3. Version=1.4
4. # Original source is from MigrateUserHomeToDomainAcct.sh
5. # Written by Patrick Gallagher - https://twitter.com/patgmac
6. #
7. # Guidance and inspiration from Lisa Davies:
8. # http://lisacherie.com/?p=239
9. #
10. # Modified by Rich Trouton
11. #
12. # Version 1.0 - Migrates an Active Directory mobile account to a local account by the following process:
13.  
14. # 1. Detect if the Mac is bound to AD and offer to unbind the Mac from AD if desired
15. # 2. Display a list of the accounts with a UID greater than 1000
16. # 3. Remove the following attributes from the specified account:
17. #
18. # cached_groups
19. # cached_auth_policy
20. # CopyTimestamp - This attribute is used by the OS to determine if the account is a mobile account
21. # SMBPrimaryGroupSID
22. # OriginalAuthenticationAuthority
23. # OriginalNodeName
24. # SMBSID
25. # SMBScriptPath
26. # SMBPasswordLastSet
27. # SMBGroupRID
28. # PrimaryNTDomain
29. # AppleMetaRecordName
30. # MCXSettings
31. # MCXFlags
32. #
33. # 4. Selectively modify the account's AuthenticationAuthority attribute to remove AD-specific attributes.
34. # 5. Restart the directory services process
35. # 6. Check to see if the conversion process succeeded by checking the OriginalNodeName attribute for the value "Active Directory"
36. # 7. If the conversion process succeeded, update the permissions on the account's home folder.
37. # 8. Prompt if admin rights should be granted for the specified account
38. #
39. # Version 1.1
40. #
41. # Changes:
42. #
43. # 1. After conversion, the specified account is added to the staff group.  All local accounts on this Mac are members of the staff group,
44. #    but AD mobile accounts are not members of the staff group.
45. # 2. The "accounttype" variable is now checking the AuthenticationAuthority attribute instead of the OriginalNodeName attribute.
46. #    The reason for Change 2's attributes change is that the AuthenticationAuthority attribute will exist following the conversion
47. #    process while the OriginalNodeName attribute may not.
48. #
49. #
50. # Version 1.2
51. #
52. # Changes:
53. #
54. # Add RemoveAD function to handle the following tasks:
55. #
56. # 1. Force unbind the Mac from Active Directory
57. # 2. Deletes the Active Directory domain from the custom /Search and /Search/Contacts paths
58. # 3. Changes the /Search and /Search/Contacts path type from Custom to Automatic
59. #
60. # Thanks to Rick Lemmon for the suggested changes to the AD unbind process.
61. #
62. # Version 1.3
63. #
64. # Changes:
65. #
66. # Fix to account password backup and restore process. Previous versions
67. # of the script were adding extra quote marks to the account's plist
68. # file located in /var/db/dslocal/nodes/Default/users/.
69. #
70. # Version 1.4
71. #
72. # Changes:
73. #
74. # macOS 10.14.4 will remove the the actual ShadowHashData key immediately
75. # if the AuthenticationAuthority array value which references the ShadowHash
76. # is removed from the AuthenticationAuthority array. To address this, the
77. # existing AuthenticationAuthority array will be modified to remove the Kerberos
78. # and LocalCachedUser user values.
79. #
80. # Thanks to the anonymous reporter who provided the bug report and fix.
81.  
82. clear
83.  
84. listUsers="$(/usr/bin/dscl . list /Users UniqueID | awk '$2 > 1000 {print $1}') FINISHED"
85. FullScriptName=`basename "$0"`
86. ShowVersion="$FullScriptName $Version"
87. check4AD=`/usr/bin/dscl localhost -list . | grep "Active Directory"`
88. osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
89.  
90. /bin/echo "********* Running $FullScriptName Version $Version *********"
91.  
92. RemoveAD(){
93.  
94.     # This function force-unbinds the Mac from the existing Active Directory domain
95.     # and updates the search path settings to remove references to Active Directory
96.  
97.     searchPath=`/usr/bin/dscl /Search -read . CSPSearchPath | grep Active\ Directory | sed 's/^ //'`
98.  
99.     # Force unbind from Active Directory
100.  
101.     /usr/sbin/dsconfigad -remove -force -u none -p none
102.    
103.     # Deletes the Active Directory domain from the custom /Search
104.     # and /Search/Contacts paths
105.    
106.     /usr/bin/dscl /Search/Contacts -delete . CSPSearchPath "$searchPath"
107.     /usr/bin/dscl /Search -delete . CSPSearchPath "$searchPath"
108.    
109.     # Changes the /Search and /Search/Contacts path type from Custom to Automatic
110.    
111.     /usr/bin/dscl /Search -change . SearchPolicy dsAttrTypeStandard:CSPSearchPath dsAttrTypeStandard:NSPSearchPath
112.     /usr/bin/dscl /Search/Contacts -change . SearchPolicy dsAttrTypeStandard:CSPSearchPath dsAttrTypeStandard:NSPSearchPath
113. }
114.  
115. PasswordMigration(){
116.  
117.     # macOS 10.14.4 will remove the the actual ShadowHashData key immediately
118.     # if the AuthenticationAuthority array value which references the ShadowHash
119.     # is removed from the AuthenticationAuthority array. To address this, the
120.     # existing AuthenticationAuthority array will be modified to remove the Kerberos
121.     # and LocalCachedUser user values.
122.  
123.  
124.     AuthenticationAuthority=$(/usr/bin/dscl -plist . -read /Users/$netname AuthenticationAuthority)
125.     Kerberosv5=$(echo "${AuthenticationAuthority}" | xmllint --xpath 'string(//string[contains(text(),"Kerberosv5")])' -)
126.     LocalCachedUser=$(echo "${AuthenticationAuthority}" | xmllint --xpath 'string(//string[contains(text(),"LocalCachedUser")])' -)
127.    
128.     # Remove Kerberosv5 and LocalCachedUser
129.     if [[ ! -z "${Kerberosv5}" ]]; then
130.         /usr/bin/dscl -plist . -delete /Users/$netname AuthenticationAuthority "${Kerberosv5}"
131.     fi
132.    
133.     if [[ ! -z "${LocalCachedUser}" ]]; then
134.         /usr/bin/dscl -plist . -delete /Users/$netname AuthenticationAuthority "${LocalCachedUser}"
135.     fi
136. }
137.  
138. # Check for AD binding and unbind if found.
139. if [[ "${check4AD}" = "Active Directory" ]]; then
140.     RemoveAD
141.     /bin/echo "AD binding has been removed."
142. else
143.     /bin/echo "Machine is not bound to AD, not removing."
144. fi
145.  
146. netname=$(w | tail -n 1 | cut -f 1 -d " ")
147.    
148. accounttype=`/usr/bin/dscl . -read /Users/"$netname" AuthenticationAuthority | head -2 | awk -F'/' '{print $2}' | tr -d '\n'`
149.    
150. if [[ "$accounttype" = "Active Directory" ]]; then
151.     mobileusercheck=`/usr/bin/dscl . -read /Users/"$netname" AuthenticationAuthority | head -2 | awk -F'/' '{print $1}' | tr -d '\n' | sed 's/^[^:]*: //' | sed s/\;/""/g`
152.     if [[ "$mobileusercheck" = "LocalCachedUser" ]]; then
153.        /usr/bin/printf "$netname has an AD mobile account.\nConverting to a local account with the same username and UID.\n"
154.     else
155.        /usr/bin/printf "The $netname account is not a AD mobile account\n"
156.        break
157.     fi
158. else
159.     /usr/bin/printf "The $netname account is not a AD mobile account\n"
160.     break
161. fi
162.    
163. # Remove the account attributes that identify it as an Active Directory mobile account
164.  
165. /usr/bin/dscl . -delete /users/$netname cached_groups
166. /usr/bin/dscl . -delete /users/$netname cached_auth_policy
167. /usr/bin/dscl . -delete /users/$netname CopyTimestamp
168. /usr/bin/dscl . -delete /users/$netname AltSecurityIdentities
169. /usr/bin/dscl . -delete /users/$netname SMBPrimaryGroupSID
170. /usr/bin/dscl . -delete /users/$netname OriginalAuthenticationAuthority
171. /usr/bin/dscl . -delete /users/$netname OriginalNodeName
172. /usr/bin/dscl . -delete /users/$netname SMBSID
173. /usr/bin/dscl . -delete /users/$netname SMBScriptPath
174. /usr/bin/dscl . -delete /users/$netname SMBPasswordLastSet
175. /usr/bin/dscl . -delete /users/$netname SMBGroupRID
176. /usr/bin/dscl . -delete /users/$netname PrimaryNTDomain
177. /usr/bin/dscl . -delete /users/$netname AppleMetaRecordName
178. /usr/bin/dscl . -delete /users/$netname PrimaryNTDomain
179. /usr/bin/dscl . -delete /users/$netname MCXSettings
180. /usr/bin/dscl . -delete /users/$netname MCXFlags
181. # Migrate password and remove AD-related attributes
182.        
183. PasswordMigration
184. # Refresh Directory Services
185. if [[ ${osvers} -ge 7 ]]; then
186.     /usr/bin/killall opendirectoryd
187. else
188.     /usr/bin/killall DirectoryService
189. fi
190.  
191. sleep 20
192.  
193. accounttype=`/usr/bin/dscl . -read /Users/"$netname" AuthenticationAuthority | head -2 | awk -F'/' '{print $2}' | tr -d '\n'`
194. if [[ "$accounttype" = "Active Directory" ]]; then
195.    /usr/bin/printf "Something went wrong with the conversion process.\nThe $netname account is still an AD mobile account.\n"
196.    exit 1
197.  else
198.    /usr/bin/printf "Conversion process was successful.\nThe $netname account is now a local account.\n"
199. fi
200.  
201. homedir=`/usr/bin/dscl . -read /Users/"$netname" NFSHomeDirectory  | awk '{print $2}'`
202. if [[ "$homedir" != "" ]]; then
203.    /bin/echo "Home directory location: $homedir"
204.    /bin/echo "Updating home folder permissions for the $netname account"
205.    /usr/sbin/chown -R "$netname" "$homedir"    
206. fi
207.  
208. # Add user to the staff group on the Mac
209.  
210. /bin/echo "Adding $netname to the staff group on this Mac."
211. /usr/sbin/dseditgroup -o edit -a "$netname" -t user staff
212.  
213.  
214. /bin/echo "Displaying user and group information for the $netname account"
215. /usr/bin/id $netname
216.  
217. # Give admin rights.
218. #/usr/sbin/dseditgroup -o edit -a "$netname" -t user admin; /bin/echo "Admin rights given to this account"; break;;