Main Forum Index

Forum Home

Post Reply

Email Forum Admins

Log In

Search Forums

Read Messages

Send a Message

Edit Your Settings

Forum Rules


Since PB isn't around, I'll tell you the answers. .....
By:  P. Briscoe (Non running-dog anti-imperial anti-Bush unapologist name-changer; 22625)
Posted on: 04-15-2019 22:23.
Client: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
IP: Logged 
Message views: 38 (Score: 0)  

1. dscl . -delete /Users/*username*

This deletes the cached account from the local (hence the dot) database so the next time they log in they get all the attributes from AD refreshed and get the correct "Display Name." It doesn't delete their home directory. However, for this to work, the 'shortname' cannot change. We don't allow shortname changes. You can be r123s456 yet change your "display" name to Muhammad Ali if you so desire--there is now a self-service Display Name Change option through Identity Management Portal. It works for students but not for employees because HR has their own database through PeopleSoft and good luck ever changing your name there without legal documents.

Display Name is what everyone sees in the GAL for Exchange/Skype and is also what gets published to the outside world-facing directory. Students also get to choose to remain unlisted; faculty and staff cannot. We're state employees and must be held accountable should someone want to contact us.

2. At the bind phase, simply uncheck the option to "create mobile (offline) accounts on login." Mobile accounts will allow a network directory user who has logged in at least once to log in using cached credentials if the domain controller cannot be contacted. But some attributes can go stale. Reboot doesn't fix this.

Our default bind to AD policy creates mobile accounts whether they're one-to-one deployments or public labs.

When mobile accounts are in force, OS X basically creates a duplicate entry in the LOCAL security database, and unless you do complicated attribute mappings, not all attributes get refreshed at login.

3. I suspect Windows handles this much better. So Windows is more Trans-Friendly.

Edited by P. Briscoe at 4/15/2019 10:29:17 PM

Edited by P. Briscoe at 4/15/2019 10:33:22 PM