Recently Coworker A left our organization and granted mailbox permissions to her supervisor, Coworker B, so that Coworker B could track down any necessary reference material from that mailbox. This is a pretty standard procedure. Usually mailboxes stay active for 30 days and as long as all of the proper approvals are in place we can grant permissions for a departing employees mailbox to another employee(usually a supervisor). That generally gives enough time for emails to be exported, etc.
In this case, the necessary emails had not been transferred out of the account in time. Coworker A’s user account had been transferred to Coworker B’s MacBook Pro and all the data was present, however those emails could not be opened because they weren’t associated with Coworker B’s Outlook profile.
In order to extract those emails it would be necessary to first access Coworker A’s user account on the computer, then open Outlook and archive the emails. This presented more complications:
Because Coworker A’s account had been deleted from Active Directory all emails associated with her account had been deleted from the Exchange server. The emails in question existed only in Coworker A’s user account.
If we simply created a new account in AD with the same user name and reset the password to sign in to her account on the computer Outlook would look to the server, find no emails in the Exchange mailbox and delete the cached mail from Coworker A’s Outlook profile. Not ideal. Not to mention the virtual impossibility of creating such an account without actually hiring someone due to the amount of automation built in to our current on-boarding process.
Because I needed to access Coworker A’s account directly, while keeping Outlook from talking to the Exchange server I’d need to deal with a local account on the computer that could be managed by the local administrator account. There are two ways I could do this:
Delete the managed, mobile account from the computer but leave the account’s home folder intact. This would allow me to create a new account with the same name from the Users and Groups Preferences pane, remove the “(deleted)” tag from the name of the user account in the Finder, then sign in as the new user.
I’ve used this method before to recover a corrupted managed, mobile account, but I don’t like to use it as it leaves the process open to data loss (if I pick the wrong radio button from the “Delete Account” options) or permissions issues if the OS doesn’t handle the procedure exactly the way I’m expecting it to.
Rich Trouton built a script that can both disjoin a Mac from and Active Directory Domain as well as convert a Managed, Mobile account to a local account. As an added bonus it can do these tasks independently from each other which meant I could convert Coworker A’s profile to a local account without messing with the AD binding.
Running the script was straightforward, it checked to see if the computer was joined to an AD domain and asked whether or not I’d like to disjoin, then presented a list of users on the device. After telling the script which user to convert it went to work and a short time later presented me with a local user account.
Once the local account was created I could change the password through the Users & Groups System Preferences pane and log in to the account. Outlook opened after an update and I was able to export an archive of the mailbox, have Coworker B log back in, and finally import the archive to Coworker B’s mailbox as a local archive.