OS X new domain migration – retaining user profile with terminal commands

If you’ve been tasked with the domain migration of a number of OS X El Capitan and Mavericks iMacs or MacBook Pro or Mac Air workstations, you may need to retain the user profiles. Normally, when unbinding, and then binding to a new domain, your user’s settings will be lost. You may be tempted to use Migration Assistant, but this usually requires copying the entire profile somewhere else which can take a long time and use a lot of disk space.

With this list of steps, you can use commands, scripting, and setting permissions and ownership of the user directories to perform the domain migration in-place.

Below is the sequence of commands and workflow step by step to migrate an OS X mac to a different domain. The key is to delete the sqlindex files, and prepare the user account for it’s new permissions. Please note the guide may not make sense at first while reading, but it will allow you to migrate your macs so that the users keep their same profile. Let me know if this guide helps you in your domain migration and if you find any better solutions.

Tasks Commands
1 Login as admin user and list users  Terminal -> ls -alh /Users/
2 move domain User folders to .old sudo mv /Users/johndoe /Users/johndoe.old
3 Unbind Machine  Preferences->Accounts->Login Options->Network account server -> Directory utility ->Active directory->Unbind
4 Delete sqlindex files found in ls /var/db/dslocal/nodes/Default/ sudo rm -f /var/db/dslocal/nodes/Default/sqlindex
sudo rm -f /var/db/dslocal/nodes/Default/sqlindex-shm
sudo rm -f /var/db/dslocal/nodes/Default/sqlindex-wal
5 reboot sudo reboot
6 Bind to new domain Preferences->Accounts->Login Options->Network account server -> Directory utility ->Active directory->Unbind
7 reboot
8 login as user
9 Logout and login as admin
10 move User folder .new After you have logged in as the user under the new domain you need to move the newly created User home folder to johndoe.new and move the .old User folder to /Users/johndoe with the command:
sudo mv /Users/johndoe /Users/johndoe.new
11 move .old to new username sudo mv /Users/johndoe.old /Users/johndoe
12 Change ownership of user home folder sudo chown -R johndoe:”Domain\Domain Users” /Users/johndoe
13 logout as admin
14 Reboot
15 login as that user (johndoe)
16 Click on “Create a new keychain” much easier in El Capitan and Yosemite If “Create new Keychain” fails then goto Keychain Access –> Preferences –> Reset Default Keychain

15 thoughts on “OS X new domain migration – retaining user profile with terminal commands”

    1. That’s a good question – we did not have filevault enabled on our systems so we never tested that scenario. If you do please report back your results?

  1. This works brilliantly as a manual process but we’re having difficulty in successfully scripting it out – anyone have any success in that area?

  2. Does it matter whether the migrated user has local admin rights on that machine before the process is started?

    1. No it should not matter. However the unbinding of the machines and changing file/directory permissions and renaming user directories is of course necessary to have admin/root permissions.

  3. Thanks!
    I’ve tested it on a non-admin profile and it works so I’ll go ahead with the others 🙂

  4. Hello, Than you for putting together all of these steps!

    I have followed these steps but at Step 8, when I log in as the user the logon process just hangs after entering credentials. I let it go for hours and the wheel just kept spinning.

    I have tried these steps with and without FileVault2 enabled with the same result multiple times.

    Since I couldn’t successfully log on, I performed a hard shutdown and after this, I could log in but received the following error popups:

    “A keychain cannot be found to store localdevice……..-AuthToken.”


    “macOS needs to repair your Library to run applications.”

    I am able to complete the rest of the steps, by logging out after the hard shutdown but I am really concerned with the logon hang after signing in to the machine using the user creds when pointing to the new AD domain. Am I missing anthing?

    After moving the user’s home directory in Step 2, am I to also delete the user account as well? Thank you for all your help!

    1. So at step 8 you are essentially logging in as the domain user into the new domain, correct? If you’re having difficulty at that step I recommend you check your new domain binding settings (I think you should always put a checkmark in the mobile user setup). Additionally I would double-check DNS (it’s always DNS). I have a feeling the login is not locating the new domain and timing out. Also try logging in as a domain admin to see if it’s a permissions issue.

      1. That is correct. I am logging in as the domain user into the new domain. I will take a closer look as to what is different. Thank you for the response!

  5. Update: I am able to successfully unbind and rebind with using the GUI. It appears as though either my bind or unbind commands might need more flags and which is affecting the first login as the user after bound to the new domain.

    dsconfigad -remove -force -u none -p none

    dsconfigad -a $HOSTNAME -u $domain_admin_user -p $domain_admin_password -preferred $domain_controller -ou “CN=Computers,DC=newdomain,DC=corp” -domain $domain -mobile enable -mobileconfirm enable -localhome enable -useuncpath enable -groups “newdomain\Domain Admins,newdomain\Enterprise Admins”

    1. Sounds like you’ve narrowed down the issue which is always a good place to be! Let me know if you get the commands to complete successfully as well as you can with the GUI – I’m sure other admins would like to know!

Leave a Reply

Your email address will not be published. Required fields are marked *