WEBVTT 00:06.000 --> 00:10.710 In this lesson, we're going to demonstrate the difference between a network account and a mobile account. 00:12.010 --> 00:17.260 When we joined the domain with our mobile config profile, we had enabled an option in profile manager 00:17.500 --> 00:20.160 to create a mobile account upon Logan. 00:20.800 --> 00:23.910 Now, when we joined with a script, we didn't have such an option. 00:24.520 --> 00:29.800 So before this video started, I had joined the New York machine with the mobile config profile and 00:29.800 --> 00:31.930 I joined the machine with the script. 00:32.500 --> 00:34.420 So let's go ahead and compare the difference. 00:35.080 --> 00:39.640 These two machines with the config add show, that's what this job does. 00:41.960 --> 00:48.410 So as you can see, our New York machine says create mobile account that login enabled and relay machine 00:48.410 --> 00:50.960 says create mobile account that login disable. 00:51.580 --> 00:55.670 OK, so let's go ahead and compare the difference between the two machines. 00:59.280 --> 01:05.100 All right, so first, our New York machine, you see that it was done with the profile and let's go 01:05.100 --> 01:08.690 to users and groups and you can see it's logged in with a mobile user. 01:09.450 --> 01:15.080 And if we go over to our L.A. machine, you can see that it's logged in with a network user. 01:15.780 --> 01:18.500 So let's go ahead and log both of these machines out. 01:28.410 --> 01:33.480 And what we're going to do is we're going to simulate pulling the network cable from both of them. 01:35.910 --> 01:40.100 So let's go ahead and remove the network cable from the L.A. machine. 01:42.920 --> 01:49.100 And that other is the way that you would be able to log in with a with a network account. 01:50.660 --> 01:54.230 And so we're going to go ahead and do the same thing on the New York machine, we're going to go ahead 01:54.230 --> 01:55.700 and disable the network cable. 01:58.090 --> 02:03.940 And as you can see on the L.A. machine, which is the one with the network account, it can no longer 02:03.940 --> 02:04.810 find the network. 02:05.050 --> 02:08.940 And so you have no ability to log in with a network account. 02:08.950 --> 02:11.990 And the only local user on the machine was administrator. 02:12.070 --> 02:13.990 Thus, it's the only log inside. 02:14.890 --> 02:17.410 So let's go ahead and plug the network cable back in. 02:18.370 --> 02:23.470 And in the meantime, we're going to leave the New York account disabled, and as you can see, it comes 02:23.470 --> 02:25.810 up with my mobile account name. 02:26.920 --> 02:29.020 And let's go ahead and log in. 02:33.180 --> 02:39.240 And so now that this computer is back on the network, it sees the active directory and it's giving 02:39.240 --> 02:43.540 us the ability to log back in with our active directory account. 02:43.560 --> 02:45.000 So let's go ahead and do that. 02:52.130 --> 02:53.730 OK, and there you have it. 02:53.780 --> 02:57.740 That's the difference between a mobile account and a network account. 02:59.880 --> 03:06.390 All right, so I wanted to show you one one other thing about mobile accounts and active directory in 03:06.390 --> 03:06.860 general. 03:07.260 --> 03:15.600 So we've unbound our machines from active directory and one on the left, as we can see, has a a mobile 03:15.600 --> 03:16.080 account. 03:16.320 --> 03:19.510 And on the one on the right shows no account. 03:19.860 --> 03:30.420 So if we go to a computer and we go to users, you can see that our active directory user folder was 03:30.420 --> 03:30.680 there. 03:30.690 --> 03:33.600 That's because the user had logged in. 03:33.960 --> 03:40.560 So we unbound from the domain and it has a network account, but it does not mean that it raises the 03:40.560 --> 03:41.250 home folder. 03:41.640 --> 03:49.860 Likewise, on the one with the mobile account, the computer's unbound from the domain, but the user 03:49.860 --> 03:53.820 still has the ability to log in because there's a mobile folder. 03:54.270 --> 04:00.780 Now, if either or both of these computers are no longer being used by these users and we bring down 04:00.780 --> 04:05.520 them from the domain, then we can go ahead and delete the user folder. 04:06.060 --> 04:14.010 So on the one that has the mobile account, you would have to click on the user and then click delete 04:14.010 --> 04:19.950 user and then say delete home folder and you can go ahead and do that in the home folder. 04:19.950 --> 04:20.440 Delete. 04:20.940 --> 04:27.870 Now on this one, since the account isn't there anymore, then you simply would need to log in as administrator 04:28.080 --> 04:32.940 and then send the user folder to the to the trash. 04:34.880 --> 04:40.550 All right, so I've got the computers back into the same position they were before we deleted the accounts, 04:40.550 --> 04:43.360 and I want to show you how you can do this through the terminal. 04:44.390 --> 04:54.110 So, again, on the high Sierra machine, there's no mobile account listed if we go to. 04:55.400 --> 04:56.920 We go to the home directory. 04:59.070 --> 05:06.060 You can see that the the active directory account is there where we're not on the domain, so on this 05:06.060 --> 05:07.510 one, we're not on the domain. 05:07.590 --> 05:08.490 We've got a mobile. 05:09.730 --> 05:11.100 We've got a mobile account. 05:11.940 --> 05:18.700 And if we go to users, then we're going to see that the the profile folders there, too. 05:19.350 --> 05:19.770 All right. 05:19.780 --> 05:25.100 So what I've done is I have created a two jobs. 05:25.260 --> 05:27.600 One is going to list the accounts and profiles. 05:27.600 --> 05:29.400 And let's take a look at this real quick. 05:29.940 --> 05:36.660 And so I want to point out that it's really important that in your environment that you're probably 05:36.660 --> 05:39.010 going to need to adjust this line. 05:39.570 --> 05:46.910 So what I'm doing is I'm going to find all the folders in the user folder that are not named administrator 05:46.910 --> 05:48.140 and not names shared. 05:48.570 --> 05:50.910 So what that means is. 05:51.850 --> 05:59.770 When we go up to the users folder, I want to know what's not called administrator and what's not called 05:59.770 --> 06:01.210 shared now. 06:02.130 --> 06:09.180 If you log if you create your computers and they all have an account called admin on it or something 06:09.180 --> 06:12.150 completely different, then you would want to put that there. 06:12.300 --> 06:20.050 If you have absolutely no consistency and in the user accounts that you use, there are all random. 06:20.340 --> 06:22.260 And this strategy may not work for you. 06:22.290 --> 06:23.610 You'll have to find another one. 06:23.940 --> 06:29.250 But if all of your accounts, if all of your systems have an administrator account and a shared account 06:29.250 --> 06:33.180 and you just want to know about the other ones, then this would work. 06:33.870 --> 06:39.470 So anyway, we're finding them all and then we're going to list all the users on the system. 06:39.630 --> 06:42.040 So that's what this second line does. 06:42.360 --> 06:47.410 So let's go ahead and run it on both because the output is going to look a little bit different. 06:48.180 --> 06:55.470 So on the first computer with the mobile account, you can see that it found an account for our active 06:55.470 --> 06:56.430 directory user. 06:56.880 --> 07:02.370 And if we scroll down now, this shows all the other accounts. 07:02.760 --> 07:05.750 And so the account is there as well. 07:06.450 --> 07:07.680 And on this machine. 07:08.710 --> 07:17.830 It's now the active director user profile folder, and then if we scroll down, you'll see that that 07:17.830 --> 07:24.070 account's not on the machine and that's because it is a it's a network account. 07:24.220 --> 07:29.730 And so there's no mobile there's no mobile account on it because it's off the domain. 07:29.740 --> 07:31.450 It doesn't know about that account anymore. 07:32.380 --> 07:32.800 All right. 07:32.800 --> 07:39.160 So now if we go to this account up script, what it's going to do is it's it's going to make. 07:40.160 --> 07:47.320 An array called users based off of every subfolder that's in the user's folder that's not called administrator 07:47.320 --> 07:47.870 or shared. 07:47.870 --> 07:54.200 So in our case it was one on each and then it's going to loop through all of those names and it's going 07:54.200 --> 07:59.810 to delete the account with the name on it, and then it's going to remove the folder with that name 07:59.810 --> 08:00.120 on it. 08:00.500 --> 08:09.020 So in the case of our machine with a network account, this line is going to give a failure, which 08:09.020 --> 08:09.830 is fine. 08:09.830 --> 08:10.730 It's just going to error. 08:10.730 --> 08:14.090 It's not going to cause any harm, but it will delete the home folder. 08:14.420 --> 08:23.210 And on our computer that's got the the mobile account, then both of the lines will work because. 08:24.610 --> 08:29.770 The account is there and the profile holders there, so let's go ahead and run. 08:30.080 --> 08:31.450 Let's go ahead and run this. 08:33.740 --> 08:39.230 And just like I said, you know, we we got an error on deleting the account because it's invalid, 08:39.240 --> 08:40.580 that account didn't exist. 08:42.920 --> 08:49.340 And so when we go ahead and we look at the machine, so the that account is gone, and then if we go 08:49.340 --> 08:54.250 and we look on the other machine, the again, the profile is gone. 08:54.620 --> 08:57.920 Now, it still shows that this account is here. 08:58.520 --> 09:04.810 But I think I'm going to have to reboot the machine for to disappear. 09:04.820 --> 09:10.140 If I log that in again, it's possible that it's going to be gone. 09:10.160 --> 09:11.930 But let's go ahead and take a look. 09:12.140 --> 09:17.000 Well, as you can see, that we don't have the option for any of the mobile account login. 09:17.000 --> 09:19.000 So the mobile account must be gone. 09:19.340 --> 09:24.350 But let's go ahead to the user's system preference and see. 09:27.260 --> 09:30.680 And it is indeed gone, so that's how you do it from the terminal. 09:30.710 --> 09:36.770 So if you're in the situation where you need to delete the home folders or the mobile accounts on machines 09:36.770 --> 09:39.610 that aren't accessible, then this is how you can do it. 09:41.200 --> 09:45.640 When we joined the domain with our mobile config profile, it created a mobile account, and when we 09:45.640 --> 09:48.780 use the script to join the domain, it created a network account. 09:49.270 --> 09:54.880 So if we want to join the domain with a script and use a mobile account, we have to add a couple of 09:54.880 --> 09:56.480 options that we didn't use before. 09:56.980 --> 10:04.840 So at the end of this script that we use before I added a few options mobile enabled, mobile confirmed 10:04.840 --> 10:10.030 disable that prevents the user from being asked if they want to create a mobile account and local home 10:10.030 --> 10:14.650 enable which forces the user's profile onto the max internal hard disk. 10:15.910 --> 10:22.920 So what we have here when we when we use this is, is that we're having our bound active directory. 10:23.140 --> 10:26.290 We're using an active directory account to log in. 10:26.590 --> 10:31.760 And after that, it would be identical to just creating a local account on a Mac. 10:31.930 --> 10:32.280 All right. 10:32.290 --> 10:33.790 So we have the job running. 10:33.790 --> 10:38.920 And when it's done, we're going to go ahead and do a configured to confirm the results. 10:40.260 --> 10:46.680 And here we are, so we have create mobile account enabled, required confirmation, disabled and force 10:46.680 --> 10:48.360 home to start up disk enabled. 10:48.510 --> 10:49.940 Those are the options we want. 10:49.950 --> 10:50.990 We have them on both. 10:51.390 --> 10:53.550 And that's how you would do it with a script.